Hello. Recently i contacted with Infogram, and requested trial of the Business version to test some features, which was unavailable in the Basic version.
I discovered the stored cross-site scripting issue in the Custom Logo link.
There was some URL checks in place, but i was able to bypass them, because position of the
http[s]:// was not checked (string could start with other arbitrary symbols)
Visit this infographic:
Scroll to the end of the page, and click the logo in the borrom-right (green triangle):
The XSS with
document.domain payload will be executed.
1) You need a Business account.
2) Visit the https://infogram.com/app/#settings/infographic ->
3) Change the logo link to the
4) Create some infographic, make it public, visit and click the logo
http:// became appended to the payload),
http[s] protocol, we can bypass it using comment:
When clicking such link,
browser sees it as
The validator should check, that Logo Link string must strictly start with