Topcoder: Reflected XSS on

ID H1:866433
Type hackerone
Reporter powerpuff
Modified 2020-05-12T13:49:07



Hi :) A reflected XSS occurs on when editing wiki pages attachments.

Steps To Reproduce:

A user can add attachments on a wiki page and can edit on If there is an error, user redirected to doeditattachment path with an error message. An attacker can change the filename parameter and add JS codes. When a victim opens this url, XSS will execute.

PoC: {F816100}


XSS can use to steal cookies or to run arbitrary code on victim's browser.