Community
Participate
Working Groups
Created attachment 239793 [details] Vulnerability in action From the security inbox: -- I found XSS vulnerable on your website at https://dev.eclipse.org/site_login/?takemeback=http://www.eclipse.org/forums/index.php?t=login please download my screenshot. step 1: go to http://www.eclipse.org/ then you can see the forum at http://www.eclipse.org/forums/ step 2: and go to log in you can see the email text box. step 3: insert this code: "><img src=x onerror=prompt(1);>"<br><h1>You have been HACKED! </h1>" then click login button. and wait a seconds. Finally Done! you can see stored XSS vulnerable --
https://git.eclipse.org/r/#/c/21818/ That was a regression from a past bug. If the email address wasn't a valid email address, we throw an error but displayed the invalid content without any untainting. An even more secure approach would be to clear the value altogether,
Fixed http://git.eclipse.org/c/websites/dev.eclipse.org.git/commit/?id=6cf305cd3f6b6ad4d41d81a9f951b469741329c8
Do you have rewards for that report. ^_^
Unfortunately, we don't provide rewards. We do recognize and appreciate your efforts via this Bug :)