DeletedUser
Guest
- Summary of the issue (title of the post)
It is an cross site scripting bug (XSS).
- Overview of the bug (description):
By entering a malicious code, an attacker can gain informations about someone's account.
- Steps to reproduce:
1. You need a tribe;
2. Go to the tribe's General forum and use the search's 'Settings' button
3. Now in the search field type
"><script>alert("XSS")</script>
Make sure you put "> in front of the <script> tag.
4. After the search finishes, click on Refine search and after you get back to the page you should get an alert now.
- Reproduction rate (Every time? Sometimes?):
It works every time.
- Browser and Version:
I am using Mozzila Firefox, 34.0 (latest version)
- Visual Reference if available (Screenshot) please put them in a spoiler.:
Image 1: http://i.imgur.com/PImudCp.png
Image 2: http://i.imgur.com/q3cdqnS.png
Image 3: http://i.imgur.com/RbhxROf.jpg
- Player name and market for rewards:
Name: qwzky
Market .ro