Admin Macro Description Stored XSS
State Resolved (Closed)
Disclosed publicly 2018-12-05T00:10:17.349Z
Reported To
Weakness Cross-site Scripting (XSS) - Stored
Bounty $250
Collapse

Summary by hariharan21

A description field only available to account Administrators allowed for unexpected input which could be triggered to execute JavaScript if viewed by lower-level roles under certain circumstances. Thanks to @hariharan21 for their great work!

Timeline
submitted a report to Zendesk .
2018-08-09T20:14:24.354Z

Regards,
Frans

  • 0 attachments:
hariharan21 Activities::Comment
2018-08-09T20:35:44.956Z


hariharan21 Activities::Comment
2018-08-10T05:46:06.240Z


dukefleed Activities::BugDuplicate
2018-08-11T08:00:37.607Z


hariharan21 Activities::Comment
2018-08-11T08:41:17.173Z


hariharan21 Activities::Comment
2018-08-11T08:43:30.203Z


hariharan21 Activities::Comment
2018-08-12T06:45:06.303Z


lollipup Activities::BugReopened
2018-08-16T18:41:37.561Z


lollipup Activities::ReportSeverityUpdated
2018-08-16T18:47:01.924Z


lollipup Activities::BugTriaged
2018-08-16T18:47:15.014Z


lollipup Activities::ReportTitleUpdated
2018-08-16T18:47:44.508Z


lollipup Activities::ReportSeverityUpdated
2018-08-16T18:53:54.558Z


hariharan21 Activities::Comment
2018-08-17T07:21:48.624Z


hariharan21 Activities::Comment
2018-08-20T12:34:23.115Z


dsouth Activities::Comment
2018-08-21T00:05:17.396Z


dsouth Activities::Comment
2018-08-21T00:20:25.219Z


hariharan21 Activities::Comment
2018-08-21T03:06:19.068Z


hariharan21 Activities::Comment
2018-08-21T03:29:40.616Z


dsouth Activities::ReportSeverityUpdated
2018-08-22T23:46:41.943Z


Activities::BountyAwarded
2018-08-22T23:50:36.615Z


hariharan21 Activities::Comment
2018-08-23T06:25:38.905Z


hariharan21 Activities::Comment
2018-08-24T08:05:47.421Z


dsouth Activities::BugResolved
2018-08-24T20:29:03.796Z


hariharan21 Activities::AgreedOnGoingPublic
2018-12-04T05:51:44.686Z


dsouth Activities::ReportSeverityUpdated
2018-12-04T18:01:11.531Z


dsouth Activities::ReportTitleUpdated
2018-12-04T18:02:47.637Z


dsouth Activities::AgreedOnGoingPublic
2018-12-05T00:10:17.291Z


dsouth Activities::ReportBecamePublic
2018-12-05T00:10:17.368Z