Valve: Unfiltered input allows for XSS in "Playtime Item Grants" fields

2018-05-17T08:21:13
ID H1:353334
Type hackerone
Reporter xpaw
Modified 2018-05-24T22:00:09

Description

Enter ">test in any of the 3 fields, save it and reload the page.

Impact Stored XSS, could possibly break some internal features too as the stored value is not an integer.

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:

URL https://partner.steamgames.com/apps/inventoryservice/[xxx]