Upserve : Reflected XSS on https://inventory.upserve.com/ (affects IE users only)
2018-12-19T02:50:26
ID H1:469841 Type hackerone Reporter stealthy Modified 2019-08-06T19:30:46
Description
The REQUEST_URI was assigned as the value of a hidden field in the login form without proper escaping resulting in a reflected cross-site scripting bug. Browsers were mitigating the issue and IE was only impacted if XSS protection was disabled. We've improved the sanitization of this field.
The value of REQUEST_URI was not correctly sanitizing user input, in this case, double-quotes. However, due to URL encoding, this was only exploitable in IE.
Upserve handled this report quickly and professionally. I am looking forward to working with them again in the future.
{"id": "H1:469841", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Upserve : Reflected XSS on https://inventory.upserve.com/ (affects IE users only)", "description": "The REQUEST_URI was assigned as the value of a hidden field in the login form without proper escaping resulting in a reflected cross-site scripting bug. Browsers were mitigating the issue and IE was only impacted if XSS protection was disabled. We've improved the sanitization of this field.\nThe value of `REQUEST_URI` was not correctly sanitizing user input, in this case, double-quotes. However, due to URL encoding, this was only exploitable in IE.\n\n https://inventory.upserve.com/login/?'\"--><script>confirm(document.cookie)</script>\n\nUpserve handled this report quickly and professionally. I am looking forward to working with them again in the future.", "published": "2018-12-19T02:50:26", "modified": "2019-08-06T19:30:46", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/469841", "reporter": "stealthy", "references": [], "cvelist": [], "lastseen": "2019-08-06T19:53:36", "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2019-08-06T19:53:36", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2019-08-06T19:53:36", "rev": 2}, "vulnersScore": 0.3}, "bounty": 1200.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/upserve", "handle": "upserve", "profile_picture_urls": {"small": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBM3dQQVE9PSIsImV4cCI6bnVsbCwicHVyIjoiYmxvYl9pZCJ9fQ==--35f228b7dd6bbe77346fadb3cbb8e34bff2f247c/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxOako0TmpKZUJqc0hWRG9KWTNKdmNFa2lEall5ZURZeUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--c38a870d322217b0422c840e7586b68994be38b4/open-uri20170622-2607-1tzzpdk", "medium": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBM3dQQVE9PSIsImV4cCI6bnVsbCwicHVyIjoiYmxvYl9pZCJ9fQ==--35f228b7dd6bbe77346fadb3cbb8e34bff2f247c/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxPREo0T0RKZUJqc0hWRG9KWTNKdmNFa2lEamd5ZURneUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--0e71f6791faebe1c35f4452bd21d67fb6decfbc2/open-uri20170622-2607-1tzzpdk"}}, "h1reporter": {"disabled": false, "username": "stealthy", "url": "/stealthy", "profile_picture_urls": {"small": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBa2VxIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--19fad3842c6d2a2c874582654e3af1df02d5ce40/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxOako0TmpKZUJqc0hWRG9KWTNKdmNFa2lEall5ZURZeUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--c38a870d322217b0422c840e7586b68994be38b4/index.jpg"}, "is_me?": false, "hackerone_triager": false, "hacker_mediation": false}}
