Summary
The /api/v1/widget endpoint of cust-api.trustratings.com is vulnerable to a reflected cross-site scripting attack. The value of the hostname passed to the API endpoint is reflected back without any filtering, which allows an attacker to run arbitrary javascript in the victim’s browser.
Severity
Moderate - The endpoint is vulnerable to reflected crosss-site scripting attack which can allow attackers to inject malicious code.
Proof of Concept
As an example, if a victim clicks the following link to the TrustRatings domain, they will get a browser alert demonstrating Javascript execution:
https://cust-api.trustratings.com/api/v1/widget/ggc00%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3esiud8?background=white&orientation=horizontal
Further Analysis
It is recommended TrustRatings perform HTML encoding on any parameters that will be inserted into HTML.
Timeline
Date reported: 4/18/2023
Date fixed:
Date disclosed: 8/8/2023
mnhenry Finder
Summary
The /api/v1/widget endpoint of cust-api.trustratings.com is vulnerable to a reflected cross-site scripting attack. The value of the hostname passed to the API endpoint is reflected back without any filtering, which allows an attacker to run arbitrary javascript in the victim’s browser.
Severity
Moderate - The endpoint is vulnerable to reflected crosss-site scripting attack which can allow attackers to inject malicious code.
Proof of Concept
As an example, if a victim clicks the following link to the TrustRatings domain, they will get a browser alert demonstrating Javascript execution:
Further Analysis
It is recommended TrustRatings perform HTML encoding on any parameters that will be inserted into HTML.
Timeline
Date reported: 4/18/2023
Date fixed:
Date disclosed: 8/8/2023