http://www.mcafee.com/us/mcafee-labs.aspxA user could inject code for example:
<img src=f00bar onerror=prompt("xss");>...on the input text in the form "Search the Threat Library".
When changing the select box it will get the XSS vector executed on the browser.
This "self-XSS" it's a minor security issue but still can be used to trick other users and a good way to check the security policies of McAfee.
Keep in mind that this issue has been fixed.
My congratulations on the good and fast support from McAfee security team.
No comments:
Post a Comment