XSS, homes.yahoo.net, Cross Site Scripting, Javascript Injection, CWE-79, CAPEC-86, PoC, Resolved

PoC Summary

The Mortgage Calculator in homes.yahoo.net was vulnerable to Reflected Cross Site Scripting (RXSS) in multiple parameters. Reported to Y! Security in October 2013 and more recently resolved, this PoC was outside the Scope of the Y! Bug Bounty Program

Y! Bug Bounty Scope

XSS, homes.yahoo.net, Cross Site Scripting, Javascript Injection, CWE-79, CAPEC-86, PoC, Resolved, XSS.Cx
XSS in homes.yahoo.net
The domains and properties below are in the scope of the program:
*.yahoo.com
*.flickr.com
All Yahoo and Flickr branded mobile apps.
All Yahoo and Flickr branded client side applications.

Comments

Yahoo Corp. recently established a Vulnerability Reporting Program (VRP) that met the criteria for our Reporting Bugs in Private. Companies don’t need to offer money, but its great when they do. Just having a Coordinated Vulnerability Disclosure Document and responding in a timely manner will often result in Private Vulnerability Reports being sent to a Target from Reporters worldwide.