Vulnerability Summary
Stored XSS on a cloud-drive public-share preview endpoint that serves user-uploaded HTML as text/html on the main application origin with a permissive CSP. A single click on the share link executes attacker JavaScript with same-origin access to the victim's session, allowing the attacker to impersonate the victim against every drive API — exfiltrating collaborator PII, the full file tree, payment-system identifiers and five cross-service XSRF tokens, modifying account preferences, and silently turning every private file in the victim's drive into a public URL.
A vulnerability was identified where a free-tier user of a cloud-drive service could upload an HTML file, expose it through the platform's built-in "public share" feature, and have that file served back as raw HTML on the application's main origin without authentication. Any logged-in user who clicked the share link executed the attacker's JavaScript with full same-origin access to the platform's APIs and authenticated cookies, allowing complete account compromise on a single click.
Seven distinct attack scenarios were confirmed cross-account (uploaded from an attacker account, executed in the victim's session). The combined impact is a full data breach: PII theft, complete file-tree enumeration, silent public exposure of every private file, payment-system identifier theft, account modification, cross-service XSRF token theft, and targeted search for sensitive documents.
pyus3rA Reflected XSS vulnerability was identified in a navigation/routing endpoint of a financial institution's web application. The callback GET parameter is reflected unsanitized into a JavaScript context on the client side, allowing arbitrary code execution.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3594137 by aikido_security
tonysecStored Cross-Site Scripting via SVG File Upload Filter Bypass
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In