> CVSS2 define a standard XSS ~4.3/10, more critical are CSRF ~6.8 or Open
Redirect ~5.8
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
XSS isn't a critical issue. CVSS2 define a standard XSS ~4.3/10, more
critical are CSRF ~6.8 or Open Redirect ~5.8. It's no sense public XSS in
ONE website on this list! Too many websites are vulnerable. If someone have
a nice XSS in software like phpmyadmin, it could be interesting.
--
Best regar
On Thu, Apr 11, 2013 at 07:48:16PM +0300, Henri Salo wrote:
> And? Did you report this to allegro.pl owners? Even to security@- and
> abuse@-addresses? How is this 0day issue?
>
In general I don't see a reason to inform any vendor
unless some external reason exists.
The game of life is a non-coope
On Thu, Apr 11, 2013 at 2:33 PM, Swair Mehta wrote:
> Well try the "search" on plantronics website.http://www.plantronics.com/us/
>
> No body notified, I couldnt see the contact us link
> On the first page.
Stay away from the web based stuff since their could be an obscene
EULA festering there.
Y
It's not a 0day. Allegro is not a software vendor. It's a website.
--
Best regards,
Maksymilian Arciemowicz ( http://cvemap.org/ )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
Well try the "search" on plantronics website.http://www.plantronics.com/us/
No body notified, I couldnt see the contact us link
On the first page.
On 11-Apr-2013, at 9:28 AM, Kacper Szczesniak wrote:
Hi All!
I was looking for a 19" rack mount today and found this XSS instead:
http://allegro.pl
On Thu, Apr 11, 2013 at 06:27:28PM +0200, Kacper Szczesniak wrote:
> Hi All!
>
> I was looking for a 19" rack mount today and found this XSS instead:
> http://allegro.pl/listing/listing.php?string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
>
> it turns out to be a custom data-
Hi All!
I was looking for a 19" rack mount today and found this XSS instead:
http://allegro.pl/listing/listing.php?string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
it turns out to be a custom data-headline attribute that is not properly escaped
tested on Firefox 20, Chrome a