Valve: Unfiltered input allows for XSS in "Playtime Item Grants" fields

ID H1:353334
Type hackerone
Reporter xpaw
Modified 2018-05-24T22:00:09


Enter ">test in any of the 3 fields, save it and reload the page.

Impact Stored XSS, could possibly break some internal features too as the stored value is not an integer.

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers: