Manual Approval Thread

[ant4r3ja]

824296
824300
824304
824310

thanks

[ant4r3ja]

824340
824341
824342
824343
824344
824345
824348
824350
824351
824352
824353
824354
824355
824356
824357
824358
824359
824360

[ant4r3ja]

824361
824362
824363
824364
824365
824366
824367
824368
824369
824370
824371
824372
824373
824374
824375
824376

thanks

[x1admin]

approved

[cosmoio]

Hey,

I was wondering about: 822069. This is a reflected XSS based on a JSONP flaw on a service provided by a certain telecorporation. The JS itself won't be executed on that domain but can be executed somewhere else, e.g. via remote script injection on a different website <script src=telecorp.com/jsonp=..evil js />, there might even be the chance to do reflected downloading of malware. To me this is a severe issue.
You rejected it because, apparently, it's not reproducible. Did you have a look at my JSFiddle proving that this would work?

Can you tell me what your thoughts on this are, thank you?

Cheers,
cosmo

[secuninja]

825869

thx

[ant4r3ja]

825136
825137
825138
825139
825140
825141
825142
825143
825144
825145
825146

thanks

[metamorfosec_id]

Websites below are accessible:
827448
827449
827450
827451
827452
827453
827454
827455
827456
827457

Thank you...

[x1admin]

approved

[secuninja]

827849
thx