ADVISORY INFORMATION =================== Title: Multiple Reflected XSS vulnerabilities in Infobae Website Date published: 2016-20-05 Vendors contacted: No answer received Vendors website: http://www.infobae.com/ Discovered by: Joel Noguera [Independent Security Researcher] Severity: Medium AFFECTED PRODUCT =================== Infobae it is a website of a famous newspaper from Argentina. It is well known and has thousand of readers per day. Infobae : http://www.infobae.com/ TECHNICAL DESCRIPTION / PROOF OF CONCEPT =================== The application does not validate correctly the URL once it is submitted and an attacker can inject malicious javascript in the code: The vulnerability is located in the pages: - http://www.infobae.com/temas/[-PAYLOAD-] - http://www.infobae.com/temas/[-PAYLOAD-] This could be exploitable with the following examples: - http://search.infobae.com/');alert(document.cookie);document.write(' - http://www.infobae.com/temas/');alert(document.cookie);document.write(' IMPACT =================== Anonymous attacker can inject malicious JS code in crafted request to hijack session data of administrators or users of the web resource. DISCLOSURE TIMELINE =================== 4 May - discovered vulnerability, initially notified vendor 16 May - Contacted again - no response 20 May - Check the vulnerability and it had been fixed. 20 May - Public Disclosure DISCLAIMER =================== The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. CREDITS =================== Joel Noguera as independent Security Researcher. - Linkedin: https://ar.linkedin.com/in/noguerajoel/en - Twitter: @niemand_sec - Email: niemand.sec@gmail.com