Reflected XSS in (

My first valid XSS bug submission to Nokia was a textbook example of a reflected Cross-Site Scripting vulnerability.

It was enough to abuse the “Search” box with the payload below, albeit it worked only in Internet Explorer browser:


After visiting the following URL, the JavaScript code was executed:</script><script/%00%00v%00%00>alert('')</script>


[November 30th 2013] - bug was reported
[January 3rd 2014] - bug was fixed

Leave a Reply

Your email address will not be published. Required fields are marked *