lemlist: Stored XSS in app.lemlist.com

2020-07-21T18:32:17
ID H1:928816
Type hackerone
Reporter solov9ev
Modified 2020-07-23T13:20:13

Description

Summary:

[add summary of the vulnerability]

Steps To Reproduce:

  • Go to Company > Buddies-to-Be > Custom variables
  • Add malicious code: " onmouseover="confirm(document.domain)" a="

{F915718}

  • Go to Company > Messages > Blank email
  • In the WYSIWYG editor select Custom variables
  • Malicious code executed

{F915719}

Impact

With this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.