Metamorfosec Security Advisory METS-2018-003 A Cross-Site Scripting (XSS) Vulnerability in German Spelling Dictionary 1.3 FIRST PUBLISHED: August 1, 2018 VERSION: 1.1 (December 20, 2018) VENDOR: valeuraddons PRODUCT: German Spelling Dictionary VERSION AFFECTED: 1.3 (and maybe older) CVE-ID: CVE-2018-12587 PRODUCT DESCRIPTION: German Spelling Dictionary is intended to check German spelling mistakes. By selecting a text on a webpage and clicking on the the German flag on the top-right corner of browser, we can check spelling mistakes from selected text. FINDING: A cross-site scripting (XSS) vulnerability was found in valeuraddons German Spelling Dictionary v1.3 (an Opera Browser add-on). Instead of providing text for a spelling check, remote attackers may injecting arbitrary web script or HTML via the ajax query parameter in the URL Address Bar. PROOF OF CONCEPT: http://valeuraddons.com/GermanSpellingDictionary/ajax_query.php?x=[XSS Payload] MITIGATION: It seems this add-on is not appear again in addons.opera.com when advisory v1.1 released. The good news is OBB-610381 marked as patched since August 19, 2018. ADVISORY TIMELINE: Apr 30, 2018 - Vulnerability found and submitted to OpenBugBounty May 1, 2018 - Initial contact to vendor May 16. 2018 - Get first response from vendor Jun 12, 2018 - Second contact to vendor (no response) Jun 19, 2018 - Request for CVE-ID Jun 20, 2018 - Get CVE-ID (CVE-2018-12587, still Reserved) Jul 12, 2018 - Third contact to vendor (no response) Jul 26, 2018 - Fourth contact to vendor (no response) Aug 1, 2018 - Release Advisory v1.0 and request to announce the CVE-2018-12587 REVISION HISTORY: Version 1.0 (Aug 1, 2018) - First release Version 1.1 (Dec 20, 2018) - Update Version, Mitigation, Revision History, and Disclaimer Sections REFERENCES: https://addons.opera.com/en/extensions/details/german-spelling-dictionary/ https://www.openbugbounty.org/reports/610381/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12587 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.