Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 771315 - WP Plugin Simple-embed-Code - Fix XSS Before Adding to Hacks Blog
: WP Plugin Simple-embed-Code - Fix XSS Before Adding to Hacks Blog
: wsec-xss
Product: Mozilla Developer Network
Classification: Other
Component: Mozilla Hacks (show other bugs)
: unspecified
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Matt Fuller :mfuller
Depends on:
Blocks: 771050 771568
  Show dependency treegraph
Reported: 2012-07-05 13:35 PDT by Matt Fuller :mfuller
Modified: 2013-05-22 11:19 PDT (History)
0 users
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Description Matt Fuller :mfuller 2012-07-05 13:35:41 PDT
During a security review of the simple embed code plugin for the hacks blog (bug 771050), I found an XSS vulnerability in the "search" admin page. This is executed using a link such as:"/><script>alert(1);</script>

Although behind the login page, this link could be sent to a blog author or clicked on by one causing the code to execute.

I've contacted the developer of this plugin.

This blocks the installation of the plugin.
Comment 1 Matt Fuller :mfuller 2012-07-06 09:43:59 PDT
The developer has replied and updated the plugin to version 2.0.2 which fixes the XSS issue. I am marking this bug resolved.

--Developer Email--
Hi Matt,

The plugin has been updated and is live in the repository - version 2.0.2.

Let me know if there are any issues and, naturally, if there's any further functionality that your developers would like to see it cover please feel free to contact me.

Kind regards,

David Artiss.
Comment 2 Yvan Boily [:ygjb][:yvan] 2013-05-22 11:19:07 PDT
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.

Note You need to log in before you can comment on or make changes to this bug.