Upserve : Reflected XSS on https://inventory.upserve.com/ (affects IE users only)

2018-12-19T02:50:26
ID H1:469841
Type hackerone
Reporter stealthy
Modified 2019-08-06T19:30:46

Description

The REQUEST_URI was assigned as the value of a hidden field in the login form without proper escaping resulting in a reflected cross-site scripting bug. Browsers were mitigating the issue and IE was only impacted if XSS protection was disabled. We've improved the sanitization of this field. The value of REQUEST_URI was not correctly sanitizing user input, in this case, double-quotes. However, due to URL encoding, this was only exploitable in IE.

https://inventory.upserve.com/login/?'"--><script>confirm(document.cookie)</script>

Upserve handled this report quickly and professionally. I am looking forward to working with them again in the future.