Mixmax: Stored XSS templates -> 'call for action' feature

2017-06-08T08:04:58
ID H1:237927
Type hackerone
Reporter r0h17
Modified 2017-06-09T17:41:09

Description

Hi Jeff,

Reporting the Stored XSS in template section on 'call for action' button. (Already discussed in mail) 1] Login to Mixmax and navigate to template section 2] Click on enhance and select call for action button 3] Enter anything in button text and in URL enter XSS payload (javascript:alert(document.cookie)) 4] Insert the button and click it to execute XSS.

Impact : XSS can be stored in template and when Team manager/admin uses that template and clicks the button , our XSS executes

Thank you