In this journey, I will share my experience with a valid report I submitted. This will be a series until I discover new vulnerabilities. π Let's begin!
This program has a lot of attack surface. It was a single web app, but with user management, different roles, and so on⦠kind of a SaaS platform.
I found my first stored XSS.
However, there is a feature where a top-level admin is able to share their document with company people. So basically, the admin creates a document on the platform and clicks to share.
But when I intercepted the request, I realized I could change the document link.
So I tried a couple of XSS payloads, but they didn't work. After that, I realized it's kind of an href attribute, and maybe it would work with just this payload.
By the way, I am not an XSS master and client-side attacks.
javascript:alert(1)When I visited the document and click it on a different account, the XSS popup appeared and worked.
I took a PoC video and prepared the report.
Severity downgraded to Low because they have said:
π Timeline
04.11.2025 β Reported
11.11.2025 β Accepted and Reward β¬β¬β¬ (Low)