Critical Stored XSS on

The vulnerability is located in the real name parameter during registration. During registration, attackers could insert malicious payloads into the ‘real name’ parameter. Basically, every page that the name of the attacker account gets printed will execute the malicious code. It can also be use with XSRF to further exploit the vulnerability.
This vulnerability is reported on 10 November 2012 and fixed on 24 November 2012.
The bug fixing process went very smoothly, thanks to the great engineer team!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s