Uber: [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name

By setting a user's name to an XSS payload, a user was able to inject JavaScript which was executed on the administrative panel for Jump bikes, allowing complete compromise of the panel, exposing user activity, personal information and billing information...