Mobile Vikings: Stored xss in user name (2) affected another user.

2015-02-10T18:07:53
ID H1:47349
Type hackerone
Reporter 4lemon
Modified 2015-03-04T14:30:14

Description

Again we have to users: A - attacker B - victim

User A (attacker) has name - name<script>alert(1)</script> and add auth to user B (victim). User B receive a letter and get remider about new request on website. And open it https://mobilevikings.com/account/requests/ And probably press "Accept" and got xss fired. x:confirm parameter is the reason of this issue.