Slack: Stored XSS

2014-03-03T18:52:15
ID H1:2926
Type hackerone
Reporter appsecure_in
Modified 2014-04-06T19:40:45

Description

Hi,

Go to this URL https://sehacure.slack.com/account/preferences?updated_highlight_words=1 and in the highlight words option please fill the XSS vector as

</textarea><script>prompt(document.cookie);</script>

Your cookie will be reflected.

Best regards, Anand