You guys use Hootsuite? It's a social media dashboard web app that is used by millions of users.
Well I found that label section on Hootsuite analytics is vulnerable to a persistent XSS (self XSS).
A user could inject any HTML or JavaScript code that will run on the active window.
Proof of concept:
<script>alert(/xss/)</script>
It's important to sanitize every user input to prevent this kind of issue.
Hootsuite security team fixed this very fast showing that some companies still care about web security.
No comments:
Post a Comment