Uber: Self-XSS on partners.uber.com

2016-05-13T13:12:00
ID H1:138622
Type hackerone
Reporter cyber__sec
Modified 2016-07-26T00:35:43

Description

Hi,

I found a reflected XSS vulnerability in password reset page https://partners.uber.com/reset-password. I have tested this vulnerability in the latest Chrome and Firefox browsers.

Reproduction Steps: 1- Go to https://login.uber.com/forgot-password and reset password. Then, Click password reset link on your mailbox. 2- Paste "><img src=x onerror=prompt(document.domain)> as your new password and submit. 3- Wait and see XSS payload fired.

Also I added screenshots.

Thanks,