Stored XSS on profile page via Steam display name
High
R
Rockstar Games
Submitted None
Team Summary
Official summary from Rockstar Games
The researcher was able to demonstrate a XSS vulnerability by using their Steam nickname as the payload vector. This was due to insufficient filtering on Linked Account name fields. We pushed out an update that replaces suspicious Linked Account names with a generic string in order to prevent future such attacks.
Actions:
Reported by
alexbirsan
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$1250.00
Submitted
Weakness
Cross-site Scripting (XSS) - Stored