Security Experts:

Connect with us

Hi, what are you looking for?



Researcher Rewarded for XSS in Mozilla Add-ons Site

Mozilla has awarded a researcher $2,500 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability affecting the company’s add-ons website.

Mozilla has awarded a researcher $2,500 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability affecting the company’s add-ons website.

Ashar Javed, a penetration tester at Hyundai AutoEver Europe, identified a total of three XSS vulnerabilities on Mozilla’s websites.

The most serious of the issues is a stored XSS found in Mozilla’s add-ons site, more precisely in the collections feature, which is designed to allow users to create and share groups of similar add-ons.

When users create a collection, they have to enter a name, a description and specify the add-ons that will be in the collection. The expert discovered that the “name” field was plagued by a stored XSS that could have been exploited to execute arbitrary JavaScript code. The flaw existed because Mozilla failed to properly filter the “<” character, allowing attackers to construct a payload such as </title><svg/onload =confirm(document.domain)//.

According to Javed, an attacker could have exploited the vulnerability to serve malware or for other malicious purposes simply by tricking the victim into accessing the URL of a malicious collection.

“Given that the Mozilla add-on site has millions of downloads, it is easily possible for the attacker to convince the victim to visit the collection page,” the expert told SecurityWeek.

One way to get users to trigger the malicious code would be to post comments on the pages of popular add-ons with links to the attacker’s collection, Javed said.

The researcher reported the vulnerability to Mozilla on December 26 and a fix was rolled out on January 7. The organization awarded the researcher $2,500 for the flaw, which he claims to have found within minutes.

The other two XSS flaws found by Javed on Mozilla websites, namely the add-ons and the support sites, have been classified as low risk and still haven’t been fixed. The expert told SecurityWeek that these are self-XSS bugs, which Mozilla is currently working to patch.

This was not the first time Javed received a significant bounty for an XSS vulnerability. In October, the expert said Google awarded him $3,000 for a reflected XSS in the main search bar of the YouTube Gaming website.

Related Reading: XSS Flaw Exposed eBay Users to Phishing Attacks

Related Reading: Flaw in SAP Firm’s XSS Filter Exposed Many Sites to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.