Stored CSS Injection
C
Coinbase
Submitted None
Team Summary
Official summary from Coinbase
When creating a product, users can upload a logo. The logo_url was not escaped properly, allowing an attacker to inject malicious characters into a style tag. This vulnerability did not allow for XSS due to our CSP, however, it did allow for CSS injection.
Actions:
Reported by
cablej
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Resource Injection