XXE on https://duckduckgo.com
This issue took 0 Days and 0 hours to triage and 0 Days and 12 hours to resolve once triaged.
Discovered by mik317 on Duckduckgo
An XML External Entity (XXE) injection vulnerability was discovered in the <code>x.js</code> endpoint on <a title="https://duckduckgo.com" href="/redirect?signature=704d370d35afd5f3eff200c403f67a3995ef86fa&url=https%3A%2F%2Fduckduckgo.com" target="_blank" rel="nofollow noopener noreferrer"><span>https://duckduckgo.com</span><i class="icon-external-link"></i></a> via <code>u</code> parameter. This was due to improper sanitation of external XML entities. The results was a leak of certain world readable files on the system.
This issue was patched. Additionally, we intend to retire the endpoint in the very near future.
Big thanks to <a href="/mik317">@mik317</a> for reporting this issue!