Envoy: Delete visitor from IPAD with fullname which contains JS results XSS

2014-07-11T20:59:42
ID H1:19816
Type hackerone
Reporter sasi2103
Modified 2014-08-27T08:48:27

Description

Hi,

Update visitor from IPAD with fullname of </script><script>alert(1)</script> and save. IGNORE THE POP UP, IT HAS BEEN REPORTED ALREADY Delete this user, XSS will pop up, the fullname is now stored XSS.

Any visitor which using the IPAD application can create stored XSS which will be activate once you clicked on the delete button.

Regards,

Sasi