A cross-site scripting (XSS) vulnerability has been discovered on the website for security software provider Kaspersky, according to a post on xssposed.org by E1337, the handle of the security researcher who identified the vulnerability and reported it on Tuesday.
The XSS bug puts Kaspersky.com users, visitors and administrators at risk of having their cookies, personal data, authentication credentials and browser history stolen by attackers, according to the post, which adds these are “probably the less dangerous consequences of XSS attacks.”
Since June 2014, researchers reported to xssposed.org 11 other XSS vulnerabilities affecting Kaspersky websites, many of which impacted Kaspersky's Brazilian and Latin American sites. In all cases Kaspersky mitigated the issue within a week.
A Kaspersky spokesperson could not immediately provide additional information to SCMagazine.com.
