XSS Vulnerability Report
Hi there,
We received the following bug report for our website, Coinality.com:
The Vulnerability Type: XSS (Reflected Cross Site Scripting)
Severity: High Risk
Affected Parameter: The "full_address" parameter in the theme search function.
Description:
The Vulnerability is exploited by injecting a malicious javascript code inside the affected parameter which is then executed as a stored XSS vulnerability.
Impact:
This Vulnerability can be used to generally execute a malicious javascript code at the client-side browser which may lead :
1- Obtaining a full access to the victim PC, and have a full control over it.
2- Redirect the User to a malicious worm/spam/phishing website.
3- Making a scam form to steal victim credentials, such as Username and password...etc.
4- Targeting the Web Admin to steal authentication cookies, leading to full site control.
5- Stealing the Cookies of Any user.
How to reproduce: click the links below (tested on firefox)
https://coinality.com/?s=anything&location='">&ptype=job_listing&latitude='">&longitude='">&f ull_address='"><script>alert(document.cookie)</script>&north_east_lng=&south_west_lng=&north_east _lat=&south_west_lat=&radius=5'">
https://coinality.com/?s=anything&location='">&ptype=job_listing&latitude='">&longitude='">&f ull_address='"><img src=x onerror=alert(document.domain)>&north_east_lng=&so uth_west_lng=&north_east_lat=&south_west_lat=&radi us=5'">
Please let us know what we can do to fix this.
Thanks!