LogicalBreach Academy

DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover | Free Bug Bounty Writeup | LogicalBreach Academy

Writeups Cheatsheets Tools Collections Authors Noc Pricing

Back

Cross-site Scripting (XSS) - DOM (CWE-79)CVSS 8Hard

DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover

hackerone-reports

April 18, 2026

0 views

Save

€470

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3608199 by xavlimsg

Description

Summary:

While auditing the latest Fizzy code and validating it end to end in a live Docker deployment of current main, I found that the account import page renders the selected local filename with innerHTML instead of textContent.

In practice, that means a crafted .zip filename is not shown as text. It is parsed as live HTML inside the real authenticated import form on /account/imports/new. Because that form already contains the victim's session and a valid CSRF token, I was able to inject a second submit control with an attacker-chosen formaction and turn the filename preview into an authenticated request gadget.

I pushed this beyond a theoretical DOM issue and validated the full attack chain to victim account takeover. The strongest demonstrated path was:

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

hackerone-reports

€13,553 Documented

Profile →

Related Writeups

heroxo9868

XSS Bypass to Zero Click Account Takeover in AI Chatbot

Poor HTML sanitization combined with a file upload feature led to a stored XSS that allowed administrator accounts to be compromised.

Read Writeup →

Discussion

No comments yet.

Be the first to share your thoughts

Premium writeups about bug bounty hunting and web security.
Written by real security researchers.

Navigation

Writeups Cheatsheets Tools Authors Noc Pricing

Contactcontact@logicalbreach.com

RSS FeedPrivacy PolicyTerms of Service