Slack: a stored xss issue in

ID H1:149011
Type hackerone
Reporter securitythinker
Modified 2017-06-25T00:03:08


when making a BoxNote snippet with this xss payload: XSS") ;</script> <img src="<img src=search"/onerror=alert(document.domain)//"> "><marquee>

when snippet made: and use the "view raw" xss payload will be executed

my ex: link where xss payload executed:

that link will be executed in entire team mate that could probably used in exploitation.