Vimeo: Stored XSS on and

ID H1:87577
Type hackerone
Reporter stefanofinding
Modified 2015-11-30T14:17:08



You can share your uploaded videos using the widget Hubnut. The URL is something like, and I noticed that the same content is loaded for this URL The problem is that the Flash file that shows the files uploaded by an user ( renders the Name of the owner of the video without escaping it. This allows to load an external Flash file using the <img> tag.

Proof of concept

  1. Go to
  2. Change your Name to <img src="//">.
  3. Click on Save Changes.
  4. Go to
  5. Save, for future use, the editable value of the field Vimeo URL (probably is like user36690798).
  6. Go to[value_from_step_5] (like:
  7. alert(document.domain) is executed.
  8. Go to[value_from_step_5] (like:
  9. alert(document.domain) is executed.

Please, let me know if something is not clear.