Introduction:
survey.dropbox.com was pointing to mysurveylab.com and any mysurveylab.com's forms was accessible through survey.dropbox.com. This lead to stored xss at survey.dropbox.com because mysurveylab.com's forms were vulnerable to xss.
Impact: Nothing as far as I know. Except phishing!
POC:
Vulnerable section:
Timeline:
- Reported: Jan 14th 2017
- Closed as Informative: Jan 14th 2017
- MySurveyLab fixed the bug within week(not sure).
No comments:
Post a Comment