XXE on https://duckduckgo.com
Critical
D
DuckDuckGo
Submitted None
Team Summary
Official summary from DuckDuckGo
An XML External Entity (XXE) injection vulnerability was discovered in the `x.js` endpoint on https://duckduckgo.com via `u` parameter. This was due to improper sanitation of external XML entities. The results was a leak of certain world readable files on the system. This issue was patched. Additionally, we intend to retire the endpoint in the very near future. Big thanks to @mik317 for reporting this issue!
Actions:
Reported by
mik317
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
XML External Entities (XXE)