Stored XSS(Cross Site Scripting) In Slack App Name

Hello Slack, This vulnerability is about a Stored Cross Site Scripting Slack Stored XSS In App(App Name) Vulnerable URL(Edit App Page) https://api.slack.com/apps/[appid]/general https://api.slack.com/apps/A21B3V9GA/general Vulnerable Parameter = name Note -Its also work on other user as well. Send this link to victim =================== Reproduction Steps POC Video - https://youtu.be/3jAbPjfPW1o Screen shot is also attached. 1) Go to app edit page https://api.slack.com/apps/[appid]/general https://api.slack.com/apps/A21B3V9GA/general 2) In app name parameter enter the following payload "/><script>alert(/Bhati/)</script> 3) Now open the app page in any other tab https://bhativictim.slack.com/apps/A21B3V9GA--scriptalert-bhati-script 4) You will get a Alert Box 5) We can also send this same link to other user(victim). Thanks, Narendra