Xss in worldserver 11.3.1.4668

First i found this bug in logitech company and report it to hackerOne
but they responded " This tool is from a 3rd party vendor and we are wondering if they know about the issue or if you have reached out to them about this yet. www.sdl.com is the vendor in question"

Screenshot of Trados Studio login screen with an error message popup stating 'login.invalid' followed by special characters that could trigger an XSS attack.
 
 as you all see URL encoded GET input error was set to login.invalid'"()&% can trigger xss
and JS will execute

sorry I haven't been able to share link because of public and responsible disclosures

you can contact me at fikrikhoir9089@gmail.com



Generated Image Alt-Text
[edited by: Trados AI at 10:23 AM (GMT 0) on 4 Mar 2024]
emoji