Babylon Translator Cross Site Scripting

2016.06.06
Credit: n0ipr0cs
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

I. VULNERABILITY ------------------------- Vulnerability Cross-Site Scripting (XSS) II. PROOF OF CONCEPT ------------------------- *URL: * 1. http://espanol.babylon-software.com/bht/index.html?trid= 2. http://traductor.babylon-software.com/ingles/a-espanol/ 3. http://traduccion.babylon-software.com/?trid= *Vector:* <img src=1 onerror=alert("n0ipr0cs");>/ *State:* unpathed III. SYSTEMS AFFECTED ------------------------- The vulnerability affects the Translator and web Babylon. IV. ABOUT BABYLON ------------------------- Babylon was founded in 1997 and is headquartered in Tel Aviv (Israel). Babylon offers different and various services to end users and businesses. The translator offers translations in 77 languages, English is also available. The software is sold worldwide and is used in more than 168 countries and has a growing base of users of desktop installations more than 90 million. In addition it has app for Iphone, Android, Windows, Blackberry and Kindle and even a pro for business service. On the other hand, there is monetization services for providers of contents and web publishers web sites, bloggers and webmasters. This company even has search services on the web, yes also is a search engine. V. CREDITS ------------------------- These vulnerabilities have been discovered by Francisco Javier Santiago Vzquez aka "n0ipr0cs" (https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050). (https://twitter.com/n0ipr0cs). VI. DISCLOSURE TIMELINE ------------------------- April 03, 2016: Vulnerability acquired by Francisco Javier Santiago Vzquez. aka "n0ipr0cs". April 03, 2016 Responsible disclosure to Babylon Security Team. April 04, 2016 Responsible disclosure to Babylon Security Team. May 18, 2016 Responsible disclosure to Babylon Security Team. June 02, 2016 Disclosure. VII. Links ------------------------ POC: http://www.estacion-informatica.com/2016/06/xss-en-babylon.html *Francisco Javier Santiago Vzquez Ethical Hacker and Forensic Analyst <http://www.linkedin.com/pub/francisco-javier-santiago-v%C3%A1zquez/50/540/1b6> <http://estacioninformatica.blogspot.com.es/> <https://twitter.com/n0ipr0cs>*

References:

http://www.estacion-informatica.com/2016/06/xss-en-babylon.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top