Critical Stored XSS on

Alexa Ranking: 90
A persistent cross site scripting vulnerability locating in the private message feature of the site. The body message part is vulnerable. Attackers could use </textarea> tag to end the textarea tag and start executing malicious codes. Attackers can simply send a private message to anyone. When a victim views the message, javascript will be executed.
Talking with Alan Schaaf (CEO of imgur) made my day. He’s nice and have a good sense of humour!
Reported on October 12 2012 and Fixed on October 13 2012.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s