Hi security team members,
Hope you are well and doing great :)
I found a Possible XSS vulnerability in https://dashboard.stripe.com but I was not able to bypass a content security policy.
Although, I donβt have much knowledge about CSP and its bypasses. But, I read that you accept the XSS without a content security bypass. So, Iβm reporting this to you.
> Please note that we do accept and reward submissions for valid cross-site scripting vulnerabilities even if they are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed at a lower severity level than those with a bypass.
This occurs when you create a custom link
with the javascript://%0aalert(1)
through a stripe app. And, It gives a CSP refused executing error on clicking the custom link.
Install this Custom Link
app:- https://marketplace.stripe.com/apps/custom-links
Now, Go to your products and then create a Custom Link
with this javascript://%0aalert(1)
as a link
{F2076228}
Then, Once you click on the custom link that you just created. It will doesnβt execute because of CSP.
{F2076226}
You can verify this by opening your Console
.
{F2076227}
If an attacker is able to bypass CSP then there is a possible XSS vulnerability in https://dashboard.stripe.com,.