Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Multiple XSS vulnerabilities on search module #676
I stumbled upon at least 3 HTML injection possibilities while making a search in Transvision.
If you open this link, you'll get 3 alerts. It's at least included in the top menu, the search input and the sentence giving the equivalent request if made on the API.
On a first time, I was believing that the impact is very low since there is no administration panel or user accounts for this website: the vulnerability would be only used to create phishing pages using your subdomain ou like an open redirect - see OWASP articles for both).
But it appears that the website is hosted on a .mozfr.org subdomain, so this vulnerability can be used to steal cookies from other subdomains, like the wiki of the forums, and in fine, impersonate administrators.
I don't think that