Just another XSS vuln affecting Digg
- a very active author - discovered it and notified us. Although we could not reproduce the last XSS in Digg
(the reason being that it was promptly fixed), this time we were able to mirror
it, and want to believe that the author has already contacted their staff in order to let them know about the issue. We also contacted Digg - just to make sure that the associated possible risks are kept to the minimum severity.
Currently, this XSS works with the latest version of Internet Explorer. Most probably it does not work with Firefox.
It can be exploited by malicious users to compromise user accounts, "digg bomb" stories and perform cross-site request forgeries (CSRF) - as with most XSS.
It is almost a certainty that this XSS is not the last one. Digg has suffered in the past from XSS vulnerabilities, but fixed them all pretty quick: