FetLife: Stored XSS via `Create a Fetish` section.

ID H1:1085914
Type hackerone
Reporter kapkan
Modified 2021-02-25T01:36:00



Hi Team, I had found another Stored XSS and it is in the fetish section. Where you search for a particular term and you can create a fetish for that and while updating that the XSS executes.


See the Proof Of Concept below. Thank You.

Steps To Reproduce:

A. Log into your account and go to Fetish from the above tab.

B. In the search field enter or copy this payload "><img src=x onerror=alert(5)> and click on Yes, Create a Fetish


C. Click on Add to Profile and select the appropriate options.


D. Click on Add to Profile and visit Edit Profile

E. Click on the Fetish option and click on Update for the Fetish you created and XSS will execute.



Attacker can grab cookies of other users and can redirect users to malicious websites and much more.