Vulnerability Note VU#808921
eBay contains a cross-site scripting vulnerability
The eBay web site contains a cross-site scripting vulnerability.
eBay is a popular auction web site. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website. More information about cross-site scripting is available in CERT Advisory CA-2000-02.
An attacker may be able to obtain sensitive data from the eBay web site. As of the publication of this document, attackers are using this vulnerability to redirect auction viewers to phishing sites and to modify the eBay auction page to steal credentials. A wide range of impacts may be possible, including disclosure of passwords, credit card numbers, or other personal information. Likewise, information stored in cookies could be stolen or corrupted. An attacker could also exploit web browser vulnerabilities that require scripting support.
We are currently unaware of a practical solution to this problem, however the following workarounds may help mitigate the vulnerability:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|eBay||Affected||28 Feb 2006||02 Apr 2006|
CVSS Metrics (Learn More)
Thanks to Dan Plakosh of CERT/CC for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: Unknown
- CERT Advisory: CA-2000-02
- Date Public: 19 Apr 99
- Date First Published: 03 Apr 2006
- Date Last Updated: 02 May 2006
- Severity Metric: 9.58
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.