Closed Bug 1237967 Opened 4 years ago Closed 4 years ago
XSS in Edit Review Functionality of AMO (rating POST parameter is vulnerable)
Ashar -- is that Edit Review's page visible to users other than yourself? Are you able to get the reflect XSS when logged in as a separate user, or not logged in?
No. It does not reflect for the other user. The exploitation for this case is hard given Self-XSS.
Hi. No progress on this bug. I think it is because of low profile XSS or ...
Sorry about that, it's been a busy week. :)
It was just a reminder and it seems it worked out :) Bug status has been changed :)
Stuart, whilst you are looking at CSP etc, could you take a quick look at this please? Its a self XSS so very low priority.
Assignee: nobody → scolville
Component: Add-on Security → Administration
Status: NEW → ASSIGNED
Fix is committed - should be rolled out shortly. https://github.com/mozilla/addons-server/commit/29e7607aefc08c3b2e4f07c4e055b0c5575253b8
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Fix is on prod.
Good! Can you make it open? It is closed for public viewing.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.