Stored XSS using SVG on subdomain

ID H1:275668
Type hackerone
Reporter whitesector
Modified 2017-12-01T13:08:00


It was possible to execute the script in the context of by publishing static script-containing file (such as SVG or XML) in "Infra" service. This context doesn't use cookies for authentication, but XSS could allow phishing / content spoofing.

This problem was addressed by moving user's content to different sandbox domain ( is not currently covered by Bug Bounty program.