XSS IN thimble.webmaker.org (Mozilla Thimble)

RESOLVED DUPLICATE of bug 765340

Status

Webmaker
General
--
critical
RESOLVED DUPLICATE of bug 765340
5 years ago
4 years ago

People

(Reporter: rishal.dwivedi, Unassigned)

Tracking

(Blocks: 1 bug)

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:thimble.webmaker.org])

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130116073211

Steps to reproduce:

XSS (Cross site Scripting Vulnerability) exists in  https://thimble.webmaker.org/
Below i have provided the detailed report of the vulnerability Please look & deploy a fix soon. Waiting for your prompt response. 




Actual results:

POC - 

- Open https://thimble.webmaker.org/en-US/editor
- Then on the left side of the webpage edit the default code by replacing"Make something amazing with the web" by the xss script given below. 

Xss script - "><img src='1.jpg'onerror=alert("XSS")>

- Now after you have entered the xss script now move to the left side of the webpage & then BOOM A popup box will be shown when you click on the right side telling XSS.

- Hence Proved xss vulnerability exists !



Expected results:

secure ! :)
(Reporter)

Updated

5 years ago
Severity: normal → critical
Blocks: 836522
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [site:thimble.webmaker.org]
Duplicate of bug: 765340

Updated

4 years ago
Blocks: 943111

Updated

4 years ago
No longer blocks: 836522
You need to log in before you can comment on or make changes to this bug.