14 DAY TRIAL // We’re presented with another situation in which security solutions providers fail to protect their public assets, leaving them vulnerable for cyberattacks.
The official site of Norman (norman.com), a proactive content security solutions and forensics malware tools provider, and the Polish variant of Avast’s website (lers.pl) were found to contain serious XSS flaws.
Team Elite is responsible for finding and disclosing the vulnerabilities, which if not fixed, could give a hacker an easy opportunity to execute arbitrary code.
In the case of Norman, the installation key retrieval page is vulnerable while on Avast’s website, the product purchase page contains an XSS and an iframe injection hole.
Team Elite states that they always inform the website’s owner when they discover a vulnerability, but many of them seem to act very slowly, in most cases silently fixing the flaws.