Vulnerability Summary
Stored Cross-Site Scripting via SVG File Upload Filter Bypass
Due to a severe misconfiguration in how the platform's sanitization layer processes URI schemes within SVG documents, an attacker is able to upload a crafted SVG file that, once stored server-side and rendered inline for any user who opens the shared conversation, silently executes arbitrary JavaScript under the platform's origin — with full access to session cookies, tokens, and DOM context.
Censorship Note: All data (domains, paths, URIs, and variables) have been strictly anonymized using entirely fictional nomenclature (e.g., redactedchat.net). This report documents an indirect execution of arbitrary JavaScript within a simulated environment to guarantee 100% privacy for the original enterprise.
pyus3rStored XSS on a cloud-drive public-share preview endpoint that serves user-uploaded HTML as text/html on the main application origin with a permissive CSP. A single click on the share link executes attacker JavaScript with same-origin access to the victim's session, allowing the attacker to impersonate the victim against every drive API — exfiltrating collaborator PII, the full file tree, payment-system identifiers and five cross-service XSRF tokens, modifying account preferences, and silently turning every private file in the victim's drive into a public URL.
pyus3rA Reflected XSS vulnerability was identified in a navigation/routing endpoint of a financial institution's web application. The callback GET parameter is reflected unsanitized into a JavaScript context on the client side, allowing arbitrary code execution.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3594137 by aikido_security
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In