Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Babylon Translator Cross Site Scripting

🗓️ 02 Jun 2016 00:00:00Reported by Francisco Javier Santiago VazquezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

Babylon Translator XSS Vulnerability and Disclosur

Code
`I. VULNERABILITY  
-------------------------  
Vulnerability Cross-Site Scripting (XSS)  
  
  
  
II. PROOF OF CONCEPT  
-------------------------  
  
*URL: *  
  
1. http://espanol.babylon-software.com/bht/index.html?trid=  
2. http://traductor.babylon-software.com/ingles/a-espanol/  
3. http://traduccion.babylon-software.com/?trid=  
  
*Vector:* <img src=1 onerror=alert("n0ipr0cs");>/  
  
*State:* unpathed  
  
  
  
III. SYSTEMS AFFECTED  
-------------------------  
The vulnerability affects the Translator and web Babylon.  
  
  
  
IV. ABOUT BABYLON  
  
-------------------------  
  
Babylon was founded in 1997 and is headquartered in Tel Aviv (Israel).  
Babylon offers different and various services to end users and  
businesses.  
  
The translator offers translations in 77 languages, English is also  
available. The software is sold worldwide and is used in more than 168  
countries and has a growing base of users of desktop installations  
more than 90 million. In addition it has app for Iphone, Android,  
Windows, Blackberry and Kindle and even a pro for business service.  
  
On the other hand, there is monetization services for providers of  
contents and web publishers web sites, bloggers and webmasters.  
  
This company even has search services on the web, yes also is a search engine.  
  
  
  
  
V. CREDITS  
-------------------------  
These vulnerabilities have been discovered by  
Francisco Javier Santiago Vázquez aka "n0ipr0cs"  
(https://es.linkedin.com/in/francisco-javier-santiago-v%C3%A1zquez-1b654050).  
(https://twitter.com/n0ipr0cs).  
  
  
  
VI. DISCLOSURE TIMELINE  
-------------------------  
April 03, 2016: Vulnerability acquired by Francisco Javier Santiago  
Vázquez. aka "n0ipr0cs".  
April 03, 2016 Responsible disclosure to Babylon Security Team.  
April 04, 2016 Responsible disclosure to Babylon Security Team.  
May 18, 2016 Responsible disclosure to Babylon Security Team.  
  
June 02, 2016 Disclosure.  
  
  
  
VII. Links  
------------------------  
POC: http://www.estacion-informatica.com/2016/06/xss-en-babylon.html  
  
  
  
  
  
  
  
*Francisco Javier Santiago Vázquez Ethical Hacker and Forensic Analyst  
<http://www.linkedin.com/pub/francisco-javier-santiago-v%C3%A1zquez/50/540/1b6>  
<http://estacioninformatica.blogspot.com.es/>  
<https://twitter.com/n0ipr0cs>*  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jun 2016 00:00Current
7.4High risk
Vulners AI Score7.4
babylontranslatorxssvulnerabilitydisclosurefrancisco javier santiago vázquezsecurity team
33