XSS vulnerability through the search results page.
The search query is sent as a GET parameter and is not escaped when rendered within a JavaScript block in the search results page. This allows code to be executed when this function is called (from a button press) from a malicious URL.
The developers of the site had correctly escaped the user input throughout the HTML content of the page, however forgot the importance of escaping user input correctly within the context of JavaScript.
function moreSearchResults() { var paglink ="?q=";alert();//&ps=25&docdate=all&sitesection=all"; var page = currentPage+1; var mr = paglink + "&p="+ page; ...
07 May 2017 | Used online contact form to report vulnerability: https://ico.org.uk/global/contact-us/email |
09 May 2016 17:00 | Email received from "Digital Architect" asking for more information about the vulnerability |
09 May 2017 20:26 | Reply sent with example URL and details on how the XSS comes about on the page |
09 May 2017 at 20:37 | Reply acknowledging problem with thanks |
02 September 2017 15:37 | I chase up response asking when it will be fixed but get no reply |
27 November 2017 23:00 | I publish page after over 6 months of reporting the vulnerability and getting no further response |
Reported Won't Fix
Back