Mobile Vikings: Stored xss in user name (2) affected another user.

ID H1:47349
Type hackerone
Reporter 4lemon
Modified 2015-03-04T14:30:14


Again we have to users: A - attacker B - victim

User A (attacker) has name - name<script>alert(1)</script> and add auth to user B (victim). User B receive a letter and get remider about new request on website. And open it And probably press "Accept" and got xss fired. x:confirm parameter is the reason of this issue.