Email Html Injection @https://gigs.indeed.com/ - CrowdStream

Summary by pphreak_1001

The domain, https://gigs.indeed.com/ had an email html injection vulnerability on gigsearch. The GET parameter l= was the vulnerable parameter here, When html was injected in it, nothing would be triggered on the webpage but when the gigsearch alert form was filled for Job alert with victim's email, the payload was triggered in received email.

Activity

Kyle_indeed Customer published the disclosure report
2 years ago(03 Feb 2023 04:36:08 UTC)
pphreak_1001 requested disclosure
2 years ago(06 Dec 2022 08:36:58 UTC)
Indeed Jira Integration changed the state to Resolved
3 years ago(12 May 2022 01:06:39 UTC)
pphreak_1001 sent a message
3 years ago(11 Apr 2022 07:14:33 UTC)
Kyle_indeed Customer rewarded pphreak_1001
3 years ago(11 Apr 2022 06:51:06 UTC)
Kyle_indeed Customer changed the state to Unresolved
3 years ago(11 Apr 2022 06:51:03 UTC)
Kyle_indeed Customer rewarded pphreak_1001 5 points
3 years ago(11 Apr 2022 06:51:03 UTC)
Kyle_indeed Customer sent a message
3 years ago(11 Apr 2022 06:50:50 UTC)
pphreak_1001 sent a message
3 years ago(08 Apr 2022 05:51:43 UTC)
pphreak_1001 sent a message
3 years ago(04 Apr 2022 08:19:56 UTC)
sophie_bugcrowd sent a message
3 years ago(31 Mar 2022 07:12:00 UTC)
sophie_bugcrowd changed the state to Triaged
3 years ago(31 Mar 2022 07:11:46 UTC)
pphreak_1001 sent a message
3 years ago(30 Mar 2022 18:19:08 UTC)
pphreak_1001 created the submission
3 years ago(30 Mar 2022 18:17:36 UTC)