A BBC page has been detected as being at risk to cross site scripting (XSS).
ProCheckUp has published a vulnerability showing that the Betsie (BBC education text to speech internet enhancer) page is vulnerable to XSS with the ability to inject malicious characters into the requested path. Additionally, Betsie discloses the webroot when the parser.pl program is called without any parameters.
The system is designed to give people with disabilities easier access to the internet by converting web pages into graphic-free, text-only versions used by text-to-speech systems.
ProCheckUp claimed that an attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to a Betsie site and such code would run within the context of the target domain.
Rolando Fuentes, security consultant at ProCheckUp, claimed that this type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (such as session IDs) to unauthorised third parties.
“It's disappointing to find common threats such as these targeted at systems designed to support people with disabilities ,” said Fuentes.
See original article on scmagazineuk.com
Disability site vulnerable to XSS attack
Betsie under threat.
Got a news tip for our journalists? Share it with us anonymously here.
Sponsored Whitepapers

See everything. Do more.

Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Diamond IT Delivers GRC Transformation with Microsoft Purview

Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks

Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy