I Injected Malicious script on Project Name i.e "><img src=x onerror=prompt('ProjectName');> and found that it is vulnerable to Stored XSS vulnerability via Project Name Input Field. For your reference, PoC Link: https://thimbleprojects.org/adeelimtiaz90/205667/
Nice find! Thanks Adeel! Stored XSS is usually sec-critical, but I consider it running on the separate thimbleprojects.org usercontent domain instead of a mozilla.org subdomain a mitigating circumstance and gave this sec-high. Happy to upgrade the severity if you have a way to execute JS on a mozilla.org subdomain.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-high, wsec-xss
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.