Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
Self Reflected XSS
DOM-Based XSS Vulnerability via Console Injection
Disclosed by 0xZoro1337- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date 8 months ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by 0xZoro1337
This report identifies a DOM-Based XSS vulnerability on https://scijinks.gov/ that allows attackers to inject and execute JavaScript through browser console manipulation. Although no direct input field was abused, the application uses unsafe DOM methods like innerHTML that process untrusted input without sanitization. This type of issue, while rated P5, highlights how even non-traditional vectors (like console access) can reflect weak handling of DOM content in client-side code.
This submission is informational, aimed at educating developers and researchers about the importance of securing all input channels—including those exposed via dev tools.