Submit #215331: Translator PoqDev 1.0.11 add-on Firefox - Universal XSS (UXSS)info

TitelTranslator PoqDev 1.0.11 add-on Firefox - Universal XSS (UXSS)
Beschreibung# Exploit Title: Translator PoqDev 1.0.11 add-on Firefox - Universal XSS (UXSS) # Date: 2023-10-01 # Exploit Author: Mostafa Farzaneh # Vendor Homepage: https://addons.mozilla.org/en-US/firefox/addon/translator-poqdev/ # Software Link: https://addons.mozilla.org/en-US/firefox/addon/translator-poqdev/ # Version: 1.0.11 # Tested on: Firefox 102.14.0esr (64-bit) # Description: The Translator PoqDev add-on of Firefox does not sanitize the entry of a user during translating selected text, so if there are any XSS payloads in selected text, this payload is executed on the user's browser. For example, when a user wants to translate comments that there are on YouTube, if a hacker sets the XSS payload in comments, then the payload via the Translator PoqDev add-on executes on the user's browser and the hacker can steal the user's cookie and access it. # Proof of concept 1- Install Translator PoqDev 1.0.11 on Firefox. 2- Select a text that includes an XSS payload and after that click on the icon of Translator PoqDev. For example, select the passage below and translate it by add-on. nice payload: <input type=image src onerror="alert(document.cookie)"> 3- The payload is executed on the user's browser and you see the user cooked by via an alert.
Quelle⚠️ https://fastupload.io/en/G5tO8X1vM8ge4qJ/file
Benutzer
 pyweb-security (UID 11883)
Einreichung01.10.2023 14:36 (vor 3 Jahren)
Moderieren10.10.2023 09:41 (9 days later)
StatusAkzeptiert
VulDB Eintrag241649 [Translator PoqDev Add-On 1.0.11 auf Firefox Select Text Cross Site Scripting]
Punkte20

Do you need the next level of professionalism?

Upgrade your account now!