Trello: SVG Uploads / Attachments can be viewed by anyone that knows the URL

ID H1:187413
Type hackerone
Reporter esmile
Modified 2016-12-06T16:03:45


1) Login 2) Create a new private board 3) Upload the SVG file attached 4) Grab the file URL 5) Open a new incognito window and navigate to the URL. Note that you were able to access the SVG file as well as that the script payload executed.