I reported a bunch of reflected Cross-site Scripting vulnerabilities to Condé Nast in August. Some of them have been fixed:

  • Ars Technica
  • Bonappetit
  • Golf Digest
  • Vogue & Teen Vogue
  • Self.com
  • Brides.com

Update 31-Jan-2013: three sites have been fixed and marked below

Thanks to Jason for helping with the domains above. Some issues are not fixed and my contact does not have direct control of these sites:

Architectural Digest Fixed

Architectural Digest XSS


Style.com XSS

 Vanity Fair Fixed

Vanity Fair XSS


Epicurious XSS


Concierge.com XSS

Lucky Magazine Fixed

Lucky Magazine XSS

I hope these issues will be fixed eventually.

Users should be careful and avoid clicking on the links that are pointing to XSS vulnerable domains.