Reflected xss and open redirect on larksuite.com using /?back_uri= parameter.
Medium
L
Lark Technologies
Submitted None
Team Summary
Official summary from Lark Technologies
A XSS (Cross-Site Scripting) vulnerability was found in larksuite via the "back_uri" parameter, caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. This could result in a Javascript payload being injected into the vulnerable endpoint and executed in the victim's browser. We thank imran_nasir for reporting this vulnerability and confirming its resolution.
Actions:
Reported by
imran_nisar
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-site Scripting (XSS) - Reflected