Urban Dictionary: Cross-Site Scripting Vulnerability in urbandictionary.com

ID H1:115438
Type hackerone
Reporter ishahriyar
Modified 2016-04-28T04:28:34


User can upload image for any definition available in urbandictionary.com. If anyone upload Invalid image file then you return a message through a url like this http://www.urbandictionary.com/cloudinary_cors.html?error=Invalid+image+file

Here the error parameter is vulnerable to xss.

Impact When an user navigates to the affected web page in a browser, the XSS payload will be served as part of the web page . This means that victims will inadvertently end-up executing the malicious script once the page is viewed in a browser. Possible Attack Cookie theft Data theft Insecure redirect

Steps to reproduce Just navigate to theurl given bellow


Tested on firefox