Vulnerability Summary
A DOM-based XSS vulnerability was discovered affecting multiple endpoints within a financial institution's web application. The target_route parameter was being processed client-side without proper validation or sanitization. This flaw allowed an attacker to execute arbitrary JavaScript code by utilizing the javascript: URI scheme.
A DOM-based XSS vulnerability was discovered affecting multiple endpoints within a financial institution's web application. The target_route parameter was being processed client-side without proper validation or sanitization. This flaw allowed an attacker to execute arbitrary JavaScript code by utilizing the javascript: URI scheme.
The vulnerability was present on several application pages. Some examples include:
https://www.redacted-bank.com/retail/promotions-search?target_route=javascript:...
https://www.redacted-bank.com/retail/fraud-prevention?target_route=javascript:...
https://www.redacted-bank.com/corporate/agreements-search?target_route=javascript:...
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3608199 by xavlimsg
heroxo9868Poor HTML sanitization combined with a file upload feature led to a stored XSS that allowed administrator accounts to be compromised.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In