Vimeo: player.vimeo.com - Reflected XSS Vulnerability

2015-01-14T02:05:52
ID H1:43672
Type hackerone
Reporter dekeeu
Modified 2015-03-09T16:00:00

Description

Hi.

I want to report a reflected xss vulnerability that I found in player.vimeo.com website and which can affect the safety of your users. This vulnerability allows an attacker to inject in web pages javascript content for sending malicious scripts to an unsuspecting user. This flaw can access any cookies, session tokens, or other sensitive information retained by victim's browser and used with that site.

PoC Link: http://player.vimeo.com/hubnut/channel/830190?user="onmousemove="alert(1)" Type: GET XSS Vulnerable Parameter: user Steps for reproducing this flaw: Open the PoC Link in a web browser and point the cursor over the page background and you will see that analert() function will be called. The cause of this vulnerability is the value of user GET parameter which is inserted in the page without being encoded. As a result, I can inject a javascript function as a value for an event attribute like onmousemove, onmouseover etc .

Regards, Coltuneac Alexandru