Closed Bug 843574 Opened 11 years ago Closed 11 years ago

XSS / developer.m.o / editor

Categories

(developer.mozilla.org Graveyard :: Editing, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 821986

People

(Reporter: curtisk, Unassigned)

Details

(Whiteboard: [site:developer.mozilla.org])

Attachments

(1 file)

From: fabiancuchietti@hotmail.com
To: security@mozilla.org
Subject: developer.mozilla.org - Cross-site Scripting
Date: Thu, 21 Feb 2013 00:58:30 -0300
-----//-----
Hello Mozilla Security,

i have found a Cross-site Scripting vulnerability in developer.mozilla.org (added screenshot)

Details:

Target: developer.mozilla.org
Vulnerability: Cross-site Scripting
Method: POST
How Exploit: The editor "html tags not filter properly".
Insert the following payload: "><audio src=. onerror=alert(String.fromCharCode(47,88,83,83,101,100,47))>


Best regards,
Fabián Cuchietti.
Assigning to Simon for verification
Assignee: nobody → sbennetts
Whiteboard: [stie:developer.mozilla.org] → [stie:developer.mozilla.org][verif?]
Whiteboard: [stie:developer.mozilla.org][verif?] → [site:developer.mozilla.org][verif?]
Hi Fabián,

Thank you for reporting this issue, I can confirm that it is a vulnerability.
However it has already been reported to us.

Many thanks,

Simon
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Whiteboard: [site:developer.mozilla.org][verif?] → [site:developer.mozilla.org]
Assignee: sbennetts → administration
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: