ID H1:353334Type hackeroneReporter xpawModified 2018-05-24T22:00:09
Description
Enter ">test in any of the 3 fields, save it and reload the page.
Impact
Stored XSS, could possibly break some internal features too as the stored value is not an integer.
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:
URL
https://partner.steamgames.com/apps/inventoryservice/[xxx]
{"id": "H1:353334", "bulletinFamily": "bugbounty", "title": "Valve: Unfiltered input allows for XSS in \"Playtime Item Grants\" fields", "description": "Enter \">test in any of the 3 fields, save it and reload the page.\n\nImpact\nStored XSS, could possibly break some internal features too as the stored value is not an integer.\n\nThe hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:\n\nURL\nhttps://partner.steamgames.com/apps/inventoryservice/[xxx]", "published": "2018-05-17T08:21:13", "modified": "2018-05-24T22:00:09", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/353334", "reporter": "xpaw", "references": [], "cvelist": [], "type": "hackerone", "lastseen": "2018-06-05T21:27:16", "history": [], "edition": 1, "hashmap": [{"key": "bounty", "hash": "90608dcb3c2783e4d6e78a5f92bf4f79"}, {"key": "bountyState", "hash": "fafdd4fbb3fee9a56e17d43689f48d18"}, {"key": "bulletinFamily", "hash": "05ada9a7482161942c43eadd60b0440c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "f3c01571f412834527dc7c5e461b9557"}, {"key": "h1reporter", "hash": "6e17bca17d5b6173d82caf42190f7eea"}, {"key": "h1team", "hash": "7cbba041e04bc00ffc1f5ed626d8f5a5"}, {"key": "href", "hash": "58a27d6cacaa39c2a32131415ad114fc"}, {"key": "modified", "hash": "067712f2a5924e4971bfd5dadaed95dc"}, {"key": "published", "hash": "3034f1020ba8e12e5cfb520f84b1d0ee"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "60340e01d4706de46b5f8fbd777aeb64"}, {"key": "title", "hash": "2f86b6d360360c03fb48d17fe14c1a3b"}, {"key": "type", "hash": "ec83c92514064cbcd1d6878e7bc2471a"}], "hash": "1ab3a21fa03bbc67922f51e680c0053af0bacbb3d3c1146fbc18c3133d3725b0", "viewCount": 11, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2018-06-05T21:27:16"}, "vulnersScore": 4.3}, "objectVersion": "1.3", "bounty": 750.0, "bountyState": "resolved", "h1team": {"handle": "valve", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/023/363/108249db69174477f86300d445fc8f4cb3ab98d2_medium.png?1504915279", "small": "https://profile-photos.hackerone-user-content.com/000/023/363/70bcb701fe28ae1bbc98b28ce88a5dd98e38a6b6_small.png?1504915279"}, "url": "https://hackerone.com/valve"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/007/335/74b414a4cf51c1015ee5cbef9f82faa2377415ba_small.jpg?1402912859"}, "url": "/xpaw", "username": "xpaw"}}
{}
