Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Virgin Mobile Cross Site Scripting

🗓️ 26 Oct 2015 00:00:00Reported by Tommy DeVossType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Virgin Mobile XSS Vulnerability discovered in 2015. Remote attackers can exploit the vulnerability on the official website without privileged user account. Vendor released patch on 2015-10-22

Code
`Document Title:  
===============  
Virgin Mobile Client Side XSS Vulnerability  
  
Release Date:  
=============  
2015-10-22  
  
Common Vulnerability Scoring System:  
====================================  
3.4  
  
  
Product & Service Introduction:  
===============================  
Virgin Mobile is a celluar company operating in the US and Canada.  
  
  
Abstract Advisory Information:  
==============================  
An independent researcher discovered a client-side cross site scripting web vulnerability in the official Virgin Mobile online service web-application.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2015-10-16: Discovery  
2015-10-19: Initial contact to [email protected]  
2015-10-19: Vendor replies and requests more information  
2015-10-20: Additional information provided along with PoC  
2015-10-22: Vendor Released Patch  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Virgin Mobile  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Technical Details & Description:  
================================  
Request Method(s):  
[+] GET  
  
Vulnerable Service(s):  
[+] Virgin Mobile (virginmobile.ca)  
  
Vulnerable Module(s):  
[+] Search  
  
Vulnerable Parameter(s):  
[+] q  
  
Affected Section(s):  
[+] Merchant Search Results  
  
  
Proof of Concept (PoC):  
=======================  
The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction (click).  
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.  
  
PoC:   
  
http://www.virginmobile.ca/en/search/search.html?q=%27%3E%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28String.fromCharCode%2888%2C83%2C83%2C80%2C79%2C83%2C69%2C68%29%29%3E&local=yes&x=54&y=25&province=ON&geoResult=failed  
  
Solution - Fix & Patch:  
=======================  
2015-10-15: Vendor Fix/Patch (Virgin Mobile - Developer Team)  
  
  
Credits & Authors:  
==================  
Tommy DeVoss - ([email protected])  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Oct 2015 00:00Current
7.4High risk
Vulners AI Score7.4
virgin mobilexssvulnerabilityremote attackerspatch2015 discoverywebsite
21