DEFTCODE( 2 )

GPG - 2048R/6D378CAF

Disclosure: Yahoo! Finance Cross-site Scripting

Description

Found a Stored Cross-site Scriping in Yahoo! Finance. (Tested on all sub-domains *.yahoo.finance.com).

At Yahoo Finance, you get free stock quotes, up to date news, portfolio management resources, international market data, message boards, and mortgage rates that help you manage your financial life.

Proof of Concept of Stored XSS:

https://it.finance.yahoo.com/portfolio/pf_XX/sort where XX = id of created portfolio

Example demostration screen

Yahoo Stored XSS

Disclosure:

Acknowledgement

Thanks Yahoo! Security Team for the add to Wall Of Fame.