Created attachment 8733468 [details] pontoon.png User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Steps to reproduce: go to "https://pontoon.mozilla.org" Login as a new User go to "https://pontoon.mozilla.org/profile/" in [what's your name ?] input type "<svg/onload=prompt("XSS)>" go to "https://pontoon.mozilla.org/projects/" Actual results: XSS Pop-up appears (Even to non-Authenticated users) Expected results: Filtering the inputs
Commits pushed to master at https://github.com/mozilla/pontoon https://github.com/mozilla/pontoon/commit/83c97bb3c197052caca4ebc62773fb996877370d Fix bug 1258774 Sanitize first_name during saving user profile. https://github.com/mozilla/pontoon/commit/cecaf470a87b219fedadc985ef0fc272c90e9be8 Merge pull request #367 from jotes/bug_1258774_fix Fix bug 1258774 Sanitize first_name.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
That means it qualifies for a bounty ?
Muhammed, thank you so much for reporting this! I don't know if https://pontoon.mozilla.org/ is part of the bug bounty program, so I'm NIing Al and Daniel who can help us figure it out.
putting it on the bounty nomination review list
Commits pushed to master at https://github.com/mozilla/pontoon https://github.com/mozilla/pontoon/commit/1994ca599dd7231a8baf44b7d96143805d277a21 Fix bug 1258774. Added tests for the nospam template filter and the save-user-name view. https://github.com/mozilla/pontoon/commit/221c3b50ff64ba0f87a8bb24acf913e675ca9202 Merge pull request #368 from jotes/bug_1258774_tests Fix bug 1258774. Added tests for the nospam template filter and the s…
From what I see on the wiki, stored XSS qualifies as sec-critical: https://wiki.mozilla.org/Security_Severity_Ratings
Are there any updates ?
Bug Bounty Committee: We aren't familiar with this site or what is. That affects the security rating. Note: This site is not normally eligible for bounties as it isn't on the list in the FAQ.
i can see "Additionally, Mozilla services that handle reasonably sensitive user data such as Sync and Hello are in scope for the bug bounty program." https://pontoon.mozilla.org/ has a many user to get their data and it's also login through "https://login.persona.org/" API which is can be login through to the most of the Mozilla Apps .
Please send email to email@example.com if you want to discuss this further. If a site isn't explicitly on the list of sites covered in the bounty program, then we normally will not pay bounties for those sites unless the issue is exceptionally bad. Simply asserting that it should be covered does not change this, which is why we publish a list in the first place. See https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs We need more feedback from the developer about this site to understand the scope of the danger.
I think it has extremely bad effect because all user will be affected with one single attack , the pop ip appears to all registered users in this site I think you should see the poc or try the bug
Pontoon is an internal localization tool, used by most Mozilla localization teams. Currently, there are 852 registered users. Let me know if you need any other info about the site.
I think mathjazz Strengthen my point of view
Are there any updates ?!
Muhammed, please follow the advice from Comment 10.
Any updates on fixes will appear in this bug. If there are no comments, there are no updates. We are waiting on Adam Muntner to determine the security rating of this issue before a final decision is made about whether it is eligible for a bounty. As previously stated, this site is not normally on the list of eligible sites.
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical, wsec-xss
Hello , i am sorry for that , but i am not seeing my name in Mozilla Hall of fame first quarter https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/ if it's ok , i would like to be added as "Muhammed Gamal Fahmy" Thanks :)
You need to log in before you can comment on or make changes to this bug.