Self XSS in attachments name
Low
Vulnerability Details
Hello Gents,
> + While testing `account.acronis.com` I found that I could inject XSS payload in attachments name at **"Support requests"** .
### Steps to Reproduce:
1. Please Login at `account.acronis.com`.
2. From support request, support a new case.
3. Expand Case ID, Leave a comment for support professional, upload a file: `"><img src="x" onerror="alert(document.domain)">.png`.
### Proof of Concept:
{F1687467}
## Impact
XSS
Actions
View on HackerOneReport Stats
- Report ID: 1536901
- State: Closed
- Substate: resolved
- Upvotes: 18