Imgur: Persistent XSS in and / post statistics

ID H1:96467
Type hackerone
Reporter sleepprogger
Modified 2015-12-09T17:46:36


In, a post paramater could be set containing html and javascript. This was not escaped properly and the code would be executed.

The reporter used the following example URLs as a proof of concept<script>alert(2)</script>,$.cookie%28%29%29%3C/script%3E"><script>alert(2)</script>