Closed
Bug 843574
Opened 12 years ago
Closed 12 years ago
XSS / developer.m.o / editor
Categories
(developer.mozilla.org Graveyard :: Editing, defect)
developer.mozilla.org Graveyard
Editing
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 821986
People
(Reporter: curtisk, Unassigned)
Details
(Whiteboard: [site:developer.mozilla.org])
Attachments
(1 file)
|
593.95 KB,
image/png
|
Details |
Screen Shot
From: fabiancuchietti@hotmail.com
To: security@mozilla.org
Subject: developer.mozilla.org - Cross-site Scripting
Date: Thu, 21 Feb 2013 00:58:30 -0300
-----//-----
Hello Mozilla Security,
i have found a Cross-site Scripting vulnerability in developer.mozilla.org (added screenshot)
Details:
Target: developer.mozilla.org
Vulnerability: Cross-site Scripting
Method: POST
How Exploit: The editor "html tags not filter properly".
Insert the following payload: "><audio src=. onerror=alert(String.fromCharCode(47,88,83,83,101,100,47))>
Best regards,
Fabián Cuchietti.
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
Assigning to Simon for verification
Assignee: nobody → sbennetts
Whiteboard: [stie:developer.mozilla.org] → [stie:developer.mozilla.org][verif?]
|
|
||
Updated•12 years ago
|
Whiteboard: [stie:developer.mozilla.org][verif?] → [site:developer.mozilla.org][verif?]
|
|
||
Comment 3•12 years ago
|
||
Hi Fabián,
Thank you for reporting this issue, I can confirm that it is a vulnerability.
However it has already been reported to us.
Many thanks,
Simon
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [site:developer.mozilla.org][verif?] → [site:developer.mozilla.org]
|
|
||
Updated•12 years ago
|
Assignee: sbennetts → administration
|
||
Comment 4•9 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
|
||
Updated•5 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•