Tuesday, February 26, 2013


After Panda Security, AVG, Kaspersky and continuing my project to find XSS flaws on antivirus vendors, I found out a DOM XSS vulnerability located at the McAfee website:
 A user could inject code for example:
<img src=f00bar onerror=prompt("xss");>
...on the input text in the form "Search the Threat Library".
When changing the select box it will get the XSS vector executed on the browser.

This "self-XSS" it's a minor security issue but still can be used to trick other users and a good way to check the security policies of McAfee.

 Keep in mind that this issue has been fixed.
My congratulations on the good and fast support from McAfee security team.

No comments:

Post a Comment