To reproduce: * ensure you have the H1 Triage Wizard Chrome extension enabled * visit https://hackerone.com/reports/1622449?subject=security&/bugs=1 * right-click the report, select "View Triage Questionnaire (Beta)" * observe an HTML payload being injected {F2173699} The payload is stored in █████████. The contents of this file are dynamically loaded through the Chrome extension. The vulnerability is caused by the following code in the `triage-extension-private` repository: ```js buildTriageQuestionnaireModal = ( modalElement, triageQuestionnaireModalOptions ) => { let questionnaireResponses = triageQuestionnaireModalOptions.questionnaireResponses; if (questionnaireResponses) { modalElement.innerHTML = triageQuestionnaireHTML .replace("{{handle}}", triageQuestionnaireModalOptions.handle) // <-- the handle here is taken from the subject parameter (i.e. "security") .replace("{{1}}", questionnaireResponses[1]) // <-- the response to the questionnaire is interpolated without sanitizing it .replace("{{2}}", questionnaireResponses[2]) // <-- this applies to all of these .replace("{{3}}", questionnaireResponses[3]) // ... ``` ## Impact This vulnerability may lead to compromising confidential information or impact its integrity.

HTML injection that may lead to XSS on HackerOne.com through H1 Triage Wizard Chrome Extension

Vulnerability Details

Actions

Report Stats

Share this report