Hi team,
This is another report with #732987. Because it is completely independent
In the process of selecting the data source at https://bi.owox.com/ui/settings/connected-services/setup/, I found a reflected XSS.
Specifically, when you click on Google Analytics
, a page will appear for you to enter Gmail
. After completing the steps, an error link will appear during the redirect (Screenshot)
{F630196}
Firefox
Chrome
1, go to https://bi.owox.com/ui/callbacks/google-supervisors/analytics<img src=xss onerror=prompt(1)>/?state=d159b8264eef78b11afdd016531b128c
2, Log in and XSS
will execute
{F630190}
>This vulnerability is aimed at all victims. Just paste this URL and login, XSS will automatically execute.
Therefore, it will have a high impact
, because before XSS is executed, the application will ask the user to login.
https://portswigger.net/web-security/cross-site-scripting/reflected
https://portswigger.net/web-security/cross-site-scripting/exploiting
Best regards,
@dat