LocalTapiola: Reflected XSS (myynti.lahitapiolarahoitus.fi)

2018-03-11T13:37:30
ID H1:324423
Type hackerone
Reporter yasar
Modified 2018-06-19T06:03:31

Description

Basic report information

Summary: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi.

Description: There is an Reflected XSS on myynti.lahitapiolarahoitus.fi website. redirect parameter is vulnerable to XSS.

Impact: Steals cookies from other logged in users.

Browsers / Apps Verified In:

Tested on Chrome Version 57.0.2987.98 Built on 8.7, running on Debian 8.10 (64-bit) Tested on Firefox 52.5.2 (64-bit)

Steps To Reproduce:

Click following link; https://myynti.lahitapiolarahoitus.fi/#/?redirect=javascript%3Aalert(document.cookie)

Additional material

{F271480}

Impact

Steals cookies from other logged in users.