Dropbox: Forum posts and private messages are poorly sanitized, allowing execution of arbitrary JavaScript

2018-02-16T10:01:10
ID H1:316738
Type hackerone
Reporter pikamander2
Modified 2019-05-13T16:01:34

Description

The reporter informed us of both stored XSS vulnerabilities as well as unsafe css attributes that were allowed in forum posts due to TinyMCE editor. An upgrade to lithium's forum platform appears to have mitigated these vulnerabilities.