Ch. Muhammad Osama, an independent vulnerability researcher has discovered a Content Spoofing vulnerability in XBOX Blog news.xbox.com, which can be exploited by an attacker to conduct XSS attacks.
Content Spoofing :-
Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.
This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust.
Proof of Concept :-
Conclusion :-
This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.
Status : Fixed!
Hall of Fame : Yes!
Bounty: No!