User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:2.0) Gecko/20100101 Firefox/4.0 Build Identifier: A Cross-Site Scripting (XSS) vulnerability has been discovered in developer.mozilla.org, which can be exploited by malicious users to conduct Cross-Site Scripting (XSS) attacks. Input passed via the "pageId" parameter to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on Firefox 4.0. FYI. Below is the PoC: Cross-Site Scripting (XSS): =========================== https://developer.mozilla.org/index.php?title=Special:Tags&pageId=1279'"--></style></script><script>alert(document.cookie)</script> Reproducible: Always
I think this is a dupe
Component: Other → Website
Product: Websites → Mozilla Developer Network
QA Contact: other → website
(In reply to comment #1) > I think this is a dupe Hi Wil Clouser, Have you tested the PoC on your machine? I have tested and it worked on my Firefox 4.0. Please let me know if you require any further information or enquiries.
(In reply to comment #2) > (In reply to comment #1) > > I think this is a dupe > > Hi Wil Clouser, > Have you tested the PoC on your machine? I have tested and it worked on my > Firefox 4.0. > > Please let me know if you require any further information or enquiries. Also, I have searched thru the reported bug and I couldn't find any duplicates.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 622996
Component: Website → Landing pages
Product: Mozilla Developer Network → Mozilla Developer Network
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
You need to log in before you can comment on or make changes to this bug.