Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/
Medium
U
Uber
Submitted None
Team Summary
Official summary from Uber
The base parameter of `/oidauth/prompt` on multiple uberinternal.com subdomains was not sanitized before being reflected into the page body, making it vulnerable to reflected XSS. Additionally, these pages were affected by a clickjacking vulnerability that made exploitation easier, since a click was required to trigger the XSS.
Actions:
Reported by
fady_othman
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$500.00
Submitted
Weakness
Cross-site Scripting (XSS) - Reflected