Mail.ru: Stored XSS using SVG on subdomain infra.mail.ru

2017-10-09T15:00:19
ID H1:275668
Type hackerone
Reporter whitesector
Modified 2017-12-01T13:08:00

Description

It was possible to execute the script in the context of https://infra.mail.ru:8080/ by publishing static script-containing file (such as SVG or XML) in "Infra" service. This context doesn't use cookies for authentication, but XSS could allow phishing / content spoofing.

This problem was addressed by moving user's content to different sandbox domain (https://infra.smailru.net:8080/).

infra.mail.ru is not currently covered by Bug Bounty program.