Cross Site Scripting (XSS) Report #4

DeletedUser

Guest
  1. Summary of the issue (title of the post)

    It is an cross site scripting bug (XSS).

  2. Overview of the bug (description):

    By entering a malicious code, an attacker can gain informations about someone's account.
  3. Steps to reproduce:

    1. You need an Account Manager ( + a Premium account);
    2. Go to Overviews - > Account Manager;
    3. Go to the Troops tab;
    4. Click on Manage Templates;
    5. In the template name field insert
    <script>alert("XSS")</script>
    Click to expand...
    and then click on Create new template;
    6. Go to one of your villages and at the bottom of the page, on the Account Manager tab, click on Edit. This should take you to the Account Manager Overview where an XSS alert should pop.

  4. Reproduction rate (Every time? Sometimes?):

    It works every time.
  5. Browser and Version:

    I am using Mozzila Firefox, 33.1.1 (latest version)
  6. Visual Reference if available (Screenshot) please put them in a spoiler.:

    Image 1. http://i.imgur.com/eZ4oI9B.png
    Image 2. http://i.imgur.com/P3DRlRn.png
    Image 3. http://i.imgur.com/4l3YBgB.jpg
  7. Player name and market for rewards:
    Player name: qwzky
    Market: .ro
 
You must log in or register to reply here.
Top