Unchecking hidden parameter is vulnerable to XSS-attack

Disclosed: 2014-08-07 14:14:27 By bigbear To khanacademy

Unknown

Vulnerability Details

Unchecking parameter <input type="hidden" name="redirect"> Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. http://crowdin.khanacademy.org:/login PoC <input type="hidden" name="redirect" value="/project_actions/load_discussions/"><script>prompt(986874)</script>"/>

Actions

View on HackerOne

Report Stats

Report ID: 13506
State: Closed
Substate: informative
Upvotes: 2

Unchecking hidden parameter is vulnerable to XSS-attack

Vulnerability Details

Actions

Report Stats

Share this report