XXE in OAuth2 Applications gallery profile App logo

Disclosed: 2015-12-16 04:07:53 By s1ck-sec To coinbase
Unknown
Vulnerability Details
upload svg photo (XML based) as App logo contain XML payload renamed to .jpg server start execute this XML payload or just watch this video "https://www.dropbox.com/s/wkba6f0wrax0wr8/xxe.mp4?dl=0" the same vulnerability was in https://www.coinbase.com/careers and reported by https://hackerone.com/mohaab007 one year ago "https://www.youtube.com/watch?v=qzbafFSFhtU"
Actions
View on HackerOne
Report Stats
  • Report ID: 104620
  • State: Closed
  • Substate: informative
  • Upvotes: 3
Share this report