Mapbox: XSS (cross-site scripting) on www.mapbox.com/maki

2016-03-23T12:33:47
ID H1:125386
Type hackerone
Reporter niemand
Modified 2016-04-27T22:21:00

Description

Hi there,

There is an XSS that allows to inject code throw the variable window.name. I had found it two weeks ago but like I told you in the email I was unable to submit you the report.

PoC:

<html> <body> <script> window.open("https://www.mapbox.com/maki/", "<script>alert(document.cookie)<\/script>"); </script> </body> </html>

This is due to the print of the value variable raw in the web page. Some attacker could just trigger a victim to open open the page like that and execute the vulnerability.

Best, Joel