Stored XSS on buy button
Low
Vulnerability Details
I found an XSS vulnerability on buy button.
**Steps to reproduce**
Go to Settings > General > Store currency > Change formatting and add on "HTML with currency" the payload `€{{amount}} "><img src=x onerror=prompt(document.domain)>`
After that go to buy button and you will see that the payload triggers there.
## Impact
A staff member can takeover another account.
Actions
View on HackerOneReport Stats
- Report ID: 397088
- State: Closed
- Substate: resolved
- Upvotes: 39