FetLife: Stored XSS via `Create a Fetish` section.

2021-01-24T10:53:20
ID H1:1085914
Type hackerone
Reporter kapkan
Modified 2021-02-25T01:36:00

Description

Summary:

Hi Team, I had found another Stored XSS and it is in the fetish section. Where you search for a particular term and you can create a fetish for that and while updating that the XSS executes.

{F1169908}

See the Proof Of Concept below. Thank You.

Steps To Reproduce:

A. Log into your account and go to Fetish from the above tab.

B. In the search field enter or copy this payload "><img src=x onerror=alert(5)> and click on Yes, Create a Fetish

{F1169909}

C. Click on Add to Profile and select the appropriate options.

{F1169912}

D. Click on Add to Profile and visit Edit Profile

E. Click on the Fetish option and click on Update for the Fetish you created and XSS will execute.

{F1169913}

Impact

Attacker can grab cookies of other users and can redirect users to malicious websites and much more.