Mail.ru: Stored XSS and html injection in biz.mail.ru

2017-09-12T15:45:16
ID H1:267783
Type hackerone
Reporter ruvlol
Modified 2017-12-27T14:26:26

Description

Domain, site, application: biz.mail.ru

Testing environment: Latest chrome

Steps to reproduce

1) go to biz.mail.ru, login 2) go to "My company" 3) create a department named as "></div></form></script><script>alert()</script><iframe src="www.google.com" onload="alert()"> 4) add an employee in that department 5) create a new subdepartment 6) add the employee from step 4 in our subdepartment

Actual results:

Payload says for itself

PoC, exploit code, screenshots, video, references, additional resources:

In attachments .gif