Reflected XSS on vimeo.com/musicstore

Disclosed: 2017-08-31 10:29:49 By stefanovettorazzi To vimeo

Unknown

Vulnerability Details

__Description__ The value of the parameter _section_ is reflected in the Javascript function `MusicStoreCommon.initialize()` without escaping, which allows to insert Javascript code. __Proof of concept__ 1. Go to https://vimeo.com/musicstore?section=%27-alert(document.domain)-%27. 2. `alert(document.domain)` is executed. This reflected XSS is reproducible on Chrome, Safari and Firefox.

Actions

View on HackerOne

Report Stats

Report ID: 85615
State: Closed
Substate: resolved
Upvotes: 5

Reflected XSS on vimeo.com/musicstore

Vulnerability Details

Actions

Report Stats

Share this report