Category: Cross Site Scripting

Paypal Sender Country XSS

Paypal Sender Country XSS

A new XSS vulnerability was identified on Paypal.com earlier today, found by d3v1l and disclosed on both Security-Shell and XSSed. The problem is with the parameter sender_country in a transaction called nvpsm.

F-Secure XSS on Anti-Theft Website

F-Secure XSS on Anti-Theft Website

In a new section supporting the release of an anti-theft product for mobile phones, the web site of Helsinki based anti-virus company F-Secure is vulnerable to cross site scripting (XSS).

Formspring.me XSS Vulnerability

Formspring.me XSS Vulnerability

Formspring.me, a newly popular social networking site, has a fundamental cross site scripting flaw that allows one logged in user to steal another user’s session, but also may allow users to find out who posted a nasty comment about them.

XSS Flaw on PayPal.com

XSS Flaw on PayPal.com

Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained.

Pentagon Web Site Vulnerabilities Identified

Pentagon Web Site Vulnerabilities Identified

A Romanian hacker has on December 6th identified input validation deficiencies in URL parameter handling leading to security vulnerabilities on a section of the official site of the Pentagon, http://pentagon.afis.osd.mil, the headquarters of the U.S. Department of Defense. The hacker who identifies himself as Ne0h has posted images of the vulnerabilities, which are still active at the time of this blog post, on his blog.