Popup Blocker Pro Chrome Extension Stored Cross Site Scripting

Published
Credit
Risk
2017.01.24
Aaditya Purani
Low
CWE
CVE
Local
Remote
CWE-79
N/A
No
Yes

Summary :

Pop-Up Blocker Pro latest version suffers from Stored Cross Site Scripting

Products Affected :

Version 1.3.5 Chrome Extension

Link :

https://chrome.google.com/webstore/detail/popup-blocker-pro/kiodaajmphnkcajieajajinghpejdjai?hl=en

Proof of Concept :

The file options/options.htm suffers from Stored XSS due to lack of output filter. Go to chrome-extension://kiodaajmphnkcajieajajinghpejdjai/options/options.htm

After that, in the Whitelisted Sites section, add the Payload <script>alert(1)</script> and press enter.

After that each time you visit the extension link, it would prompt a Stored XSS.

Credits:
Aaditya Purani

References:

https://chrome.google.com/webstore/detail/popup-blocker-pro/kiodaajmphnkcajieajajinghpejdjai?hl=en


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com