Closed
Bug 1287376
Opened 8 years ago
Closed 8 years ago
XSS and code execute
Categories
(bugzilla.mozilla.org :: Bug Creation/Editing, defect)
Tracking
()
People
(Reporter: anasroubi, Unassigned)
Details
Attachments
(1 file)
421 bytes,
image/svg+xml
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160606113944
Steps to reproduce:
go to https://bugzilla.mozilla.org/enter_bug.cgi
make a new bug
Actual results:
upload the a SVG file that has a javascript code or any uther code like
https://hackerone.com/reports/142709
Expected results:
open it after upload it will execute
Reporter | ||
Comment 1•8 years ago
|
||
think it should be fixed as possible as can because it's XSS that i can write a script with no max length and in the same time it can be XXE what is a type of RCE vulnerabilities :)
best regrades,
Anas Roubi
Comment 2•8 years ago
|
||
It doesn't run on the same domain as bugzilla, so this isn't a problem.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Component: Untriaged → Bug Creation/Editing
Product: Firefox → bugzilla.mozilla.org
Resolution: --- → DUPLICATE
Version: 47 Branch → Production
Reporter | ||
Comment 3•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #2)
> It doesn't run on the same domain as bugzilla, so this isn't a problem.
>
> *** This bug has been marked as a duplicate of bug 38862 ***
OK what about this one #1287375 ?
Comment 4•8 years ago
|
||
(In reply to Anas Roubi from comment #3)
> (In reply to :Gijs Kruitbosch from comment #2)
> > It doesn't run on the same domain as bugzilla, so this isn't a problem.
> >
> > *** This bug has been marked as a duplicate of bug 38862 ***
>
> OK what about this one #1287375 ?
I can't see that bug, so I have no idea.
Reporter | ||
Comment 5•8 years ago
|
||
I've added you can yu see it now?
Comment 8•8 years ago
|
||
Please don't disclose issues that are still security-sensitive on public bugs. I've marked your comment private.
Comment 9•8 years ago
|
||
(In reply to Anas Roubi from comment #5)
> I've added you can yu see it now?
Yes, but I don't have the knowledge to evaluate that bug. Others will do so when they're awake (it's night in the US still).
You need to log in
before you can comment on or make changes to this bug.
Description
•