Mapbox: XSS (cross-site scripting) on

ID H1:125386
Type hackerone
Reporter niemand
Modified 2016-04-27T22:21:00


Hi there,

There is an XSS that allows to inject code throw the variable I had found it two weeks ago but like I told you in the email I was unable to submit you the report.


<html> <body> <script>"", "<script>alert(document.cookie)<\/script>"); </script> </body> </html>

This is due to the print of the value variable raw in the web page. Some attacker could just trigger a victim to open open the page like that and execute the vulnerability.

Best, Joel