[api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS

Hello i have found a clickjacking vulnerability in https://api.tumblr.com/console/* And a self DOM-based XSS In https://api.tumblr.com/console/calls/user/(follow/unfollow) A attacker can exploit the clickjacking to trigged the self DOM-based XSS Vulnerable URL to clickjacking : https://api.tumblr.com/console/* Vulnerable URL to self DOM-based XSS : https://api.tumblr.com/console/calls/user/unfollow https://api.tumblr.com/console/calls/user/follow Vulnerable code to self DOM-based XSS : https://assets.tumblr.com/assets/scripts/console/console.js line 1309 ``` var e = jQuery(this); if (0 === e.text().indexOf('"http://') || 0 === e.text().indexOf('"https://')) { var t = e.text().slice(1, - 1), n = jQuery('<a target="_blank">').text(e.text()).attr('href', t); n.html('"<u>' + t + '</u>"'), /\.(gif|jpg|jpeg|tiff|png)$/i.test(t) && n.addClass('image-modal'), e.html(n) } ``` ``` line 1309 : n.html('"<u>' + t + '</u>"') ``` this trigger a self DOM-based XSS With this payload : ``` https://www.<img src=x onerror='alert()'>``` Steps To Reproduce: 1. Log in https://api.tumblr.com/console/calls/user/info 2. Open the poc.html with chrome, and follow the instruction into the clickjacking page (Note: i have only test the poc.html with chrome) /!\ Note this vulnerability needs a lot of user interaction, this why i have passed this report to low /!\ I hope the poc.html work this your navigator. Thanks bye. ## Impact A attacker can manipulate a victim to click and follow instruction in the clickjacking page to triaged the self DOM-based XSS