Security Vulnerability Cross Site Scripting on l10n.kde.org
Albert Astals Cid
aacid at kde.org
Mon May 27 19:09:49 BST 2024
Thanks for reporting this, we will have a look as soon as
possible.
Best Regards,
Albert
El diumenge, 26 de maig del 2024, a les 6:44:40 (CEST), Tamim Khan va
escriure:
> Hi there,
>
> I have found a cross-site scripting vulnerability on l10n.kde.org .
> details down below.
>
> Overview of the Vulnerability:
>
> Reflected Cross-Site Scripting (XSS) is a type of injection attack where
> malicious JavaScript code is injected into a website. When a user visits
> the affected web page, the JavaScript code executes and its input is
> reflected in the user's browser. Reflected XSS can be found on this domain
> which allows an attacker to create a crafted URL which when opened by a
> user will execute arbitrary Javascript within that user's browser in the
> context of this domain.
>
> Vulnerability Details:
>
> Vulnerable URL:
> https://l10n.kde.org/teams-list.php/'%3E%3Cjlmtpc%3E2='%3E%3Csvg%20onload=al
> ert(document.domain)%3E// Parameter: 2
> Payload: '><svg onload=alert(1)>//
>
>
> Steps to Reproduce:
>
> 1. Use a browser to navigate to:
> https://l10n.kde.org/teams-list.php/'%3E%3Cjlmtpc%3E2='%3E%3Csvg%20onload=al
> ert(document.domain)%3E// 2. It will make a popup as for POC
> 3. Observe the JavaScript payload being executed
>
>
> Proof of Concept (PoC):
>
> Here is a screenshot of the full exploit taking place:
>
> [image: Screenshot_209.png]
>
>
> if you need more info. let me know any time.
> it will be great if you guys consider a bounty.
>
>
> Best Regards
> J K Tamim
More information about the kde-i18n-doc
mailing list