Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3608199 by xavlimsg
While auditing the latest Fizzy code and validating it end to end in a live Docker deployment of current main, I found that the account import page renders the selected local filename with innerHTML instead of textContent.
In practice, that means a crafted .zip filename is not shown as text. It is parsed as live HTML inside the real authenticated import form on /account/imports/new. Because that form already contains the victim's session and a valid CSRF token, I was able to inject a second submit control with an attacker-chosen formaction and turn the filename preview into an authenticated request gadget.
I pushed this beyond a theoretical DOM issue and validated the full attack chain to victim account takeover. The strongest demonstrated path was:
gpk21Collab with Tonysec https://academy.logicalbreach.com/authors/tonysec
pyus3rA DOM-based XSS vulnerability was discovered affecting multiple endpoints within a financial institution's web application. The target_route parameter was being processed client-side without proper validation or sanitization. This flaw allowed an attacker to execute arbitrary JavaScript code by utilizing the javascript: URI scheme.
heroxo9868Poor HTML sanitization combined with a file upload feature led to a stored XSS that allowed administrator accounts to be compromised.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In