Search This Blog

Cross-site scripting vulnerability in Ubuntu official website

 A security researcher known as "flexxpoint" discovered cross site scripting vulnerability in the official website of Ubuntu. 

The search box in the Certified hardware Models page of Ubuntu website is found to be vulnerable to xss injection.

Poc:
http://www.ubuntu.com/certification/models?form.search_text=Dell"><script>alert(/xss-Bulgaria/.source)</script>&form.hardware_category=LAPTOP

The highlighted code is injected XSS code.  Apparently, the injected XSS code is very simple one. Replacing this code with malicious javascript allows an attacker to steal cookies or can be used for phishing attack.
Share it:

Breaking News

Vulnerability

Web Application Vulnerability

XSS Vulnerability