Closed Bug 1339039 Opened 7 years ago Closed 7 years ago

Stored XSS - https://thimble.mozilla.org

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: engg_adeel.imtiaz, Unassigned)

References

(
URL
)

Details

(Keywords: wsec-xss, Whiteboard: [reporter-external] [web-bounty-form]) 

I Injected Malicious script on Project Name i.e  "><img src=x onerror=prompt('ProjectName');> and found that it is vulnerable to Stored XSS vulnerability via Project Name Input Field.

For your reference, PoC Link:
https://thimbleprojects.org/adeelimtiaz90/205667/
Flags: sec-bounty?
Nice find! Thanks Adeel!

Stored XSS is usually sec-critical, but I consider it running on the separate thimbleprojects.org usercontent domain instead of a mozilla.org subdomain a mitigating circumstance and gave this sec-high. Happy to upgrade the severity if you have a way to execute JS on a mozilla.org subdomain.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-high, wsec-xss
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
We have domains like this for BMO (bmoattachments), MDN (mozillausercontent), etc.; they're not considered vulnerabilities unless it's on the parent domain (*.mozilla.org) -- they're actually intended for people to serve JavaScript from, so this is actually working as intended.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
Keywords: sec-high
Group: websites-security
You need to log in before you can comment on or make changes to this bug.