Stored XSS and html injection in

ID H1:267783
Type hackerone
Reporter ruvlol
Modified 2017-12-27T14:26:26


Domain, site, application:

Testing environment: Latest chrome

Steps to reproduce

1) go to, login 2) go to "My company" 3) create a department named as "></div></form></script><script>alert()</script><iframe src="" onload="alert()"> 4) add an employee in that department 5) create a new subdepartment 6) add the employee from step 4 in our subdepartment

Actual results:

Payload says for itself

PoC, exploit code, screenshots, video, references, additional resources:

In attachments .gif