Vulnerable urls:
https://www.zendesk.com/product/tour/
https://www.zendesk.com/product/pricing/
or just https://www.zendesk.com/product/
Vulnerable parameter is a **cvo_sid1**, used in **live.js** to call convertro code (without sanitizing). This leads to generating malformed javascript answer with XSS injection ability. (See screenshots below).
There is a restriction on a semicolon use, so i replaced it with %3b.
To reproduce vulnerability, you could try this safe example:
`https://www.zendesk.com/product/tour/#?cvo_sid1=1")%3balert(document.cookie%2b"`
This vulnerability provides a great opportunity for victim to lose not only cookies, but also control over the account after stealth forwarding to porposely generated link like this :))
{"id": "H1:141244", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Zendesk: XSS in zendesk.com/product/", "description": "Vulnerable urls:\nhttps://www.zendesk.com/product/tour/\nhttps://www.zendesk.com/product/pricing/\nor just https://www.zendesk.com/product/\n\nVulnerable parameter is a **cvo_sid1**, used in **live.js** to call convertro code (without sanitizing). This leads to generating malformed javascript answer with XSS injection ability. (See screenshots below).\nThere is a restriction on a semicolon use, so i replaced it with %3b.\n\nTo reproduce vulnerability, you could try this safe example:\n`https://www.zendesk.com/product/tour/#?cvo_sid1=1\")%3balert(document.cookie%2b\"`\n\nThis vulnerability provides a great opportunity for victim to lose not only cookies, but also control over the account after stealth forwarding to porposely generated link like this :))\n\n\n\n", "published": "2016-05-26T17:21:14", "modified": "2016-12-15T00:56:43", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/141244", "reporter": "virtualhunter", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:13", "viewCount": 4, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "bounty": 100.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/zendesk", "handle": "zendesk", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/205/ff98ae0255b89059063ba495dd9f3ae4dad0ece1_small.jpg?1502908905", "medium": "https://profile-photos.hackerone-user-content.com/000/000/205/255d1c4e6dfc0b46260481d8f9899e925eb6d879_medium.jpg?1502908905"}}, "h1reporter": {"url": "/virtualhunter", "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/052/708/1f13689e376daff0017c4f2837094ba83b64908d_small.jpg?1454629553"}, "hacker_mediation": false, "disabled": false, "username": "virtualhunter", "is_me?": false}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645486825, "score": 1659770509}}
Zendesk: XSS in zendesk.com/product/