Created attachment 8342478 [details] xss.png Received: by 10.50.140.5 with HTTP; Wed, 4 Dec 2013 09:21:42 -0800 (PST) Date: Wed, 4 Dec 2013 22:51:42 +0530 Subject: Vulnerable Plugin (XSS) From: prayas kulshrestha <email@example.com> To: Mozilla Security <firstname.lastname@example.org> -----//----- Hi, I would like to inform you about the vulnerable plugin is used in one of the important sub domain of the Mozilla that is hacks.Mozilla.org below is the screen shot for the same <xss.png> Reference Link for confirmation : http://security-sh3ll.blogspot.in/2011/12/google-recaptcha-wordpress-plugin.html this website comes even Google index one will use he dork like Google dork: inurl:rcommentid= error= site:mozilla.org Result : https://www.google.co.in/search?q=inurl:rcommentid%3D+error%3D&ie=utf-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&gws_rd=cr&ei=MGSfUq7fMoWErAfF0oG4Dw#q=inurl:rcommentid%3D+error%3D++site%3Amozilla.org&rls=org.mozilla:en-US%3Aofficial Thank You ----- Regards Prayas Kulshrestha
5 years ago
assigning to Jake, can we get this plugin fixed or remove?
Assignee: nobody → nmaul
while i have updated this plugin in bug 946861, i want to remind the group it was *NOT* an activated plugin on hacks.mozilla.org.
Does not qualify for a bug bounty because this was disabled and there is no evidence (e.g. POC link) the reporter could actually trigger an XSS on the site.
Component: Other → Mozilla Hacks
Flags: sec-bounty? → sec-bounty-
Product: Websites → Mozilla Developer Network
Unsetting myself and closing... seems like this was resolved in the dependent bug? I don't see any reason to keep this open.
Assignee: nmaul → nobody
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
You need to log in before you can comment on or make changes to this bug.