Advisory: pages.ebay.de - DOM based Cross-site Scripting vulnerability Advisory ID: SSCHADV2013-011 Author: Stefan Schurtz Affected Software: Successfully tested on pages.ebay.de Vendor URL: http://www.ebay.com Vendor Status: fixed ========================== Vulnerability Description ========================== The website 'pages.ebay.de' is prone to a DOM based XSS vulnerability. ========================== PoC-Exploit ========================== // IE10 / SRWware Iron 24.0 / Google Chrome 27.0 http://pages.ebay.de/kaeuferschutz/fragen-antworten.html?tSection=1111#"> ========================== Disclosure Timeline ========================== 19-Oct-2013 - vendor informed by contact form http://pages.ebay.com/securitycenter/researchers.html 21-Oct-2013 - feedback from eBay Security Research team 22-Oct-2013 - sending more infos about the XSS to the eBay Security Research Team 25-OCt-2013 - vendor asks for more technical information 26-Oct-2013 - technical details sent to eBay Security Research team 07-Nov-2013 - vulnerability seems to be fixed 11-Nov-2013 - eBay Security Research team confirms the fix ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://www.ebay.com http://www.darksecurity.de/advisories/2013/SSCHADV2013-011.txt