[marketplace.informatica.com] Persistent XSS through document title

Document titles are not properly escaped before being printed on https://marketplace.informatica.com/docs/ . By including a payload in a document title, an attacker can create a document with a persistent XSS vector which executes for anyone viewing the document page. Proof of concept === The following steps are accompanied by screenshots attached to this report. 1. Log into https://marketplace.informatica.com/ and go to your profile page. Select New -> Document. 2. Choose a location for your new document - "Your Documents" will work just fine. 3. Enter some text in the document body and insert the following XSS vector in the document title: `";alert("XSS in "+document.domain);//` 4. Hit "Publish" on the bottom of the page. 5. Visiting the document page causes the XSS payload to execute. This test was performed using Mozilla Firefox 49.0.2 and was also confirmed in Google Chrome 54.0.2840.87. The exploit should work in any browser, as the persistent payload cannot be distinguished from a legitimate script from the server. Recommended solution === Make sure to correctly output encode the document title before printing it to a javascript scope of the document page.