The XSS vulnerability could lead to HTML injection, oskarsv warned. “An 18 billion dollar company paying less than $2k for a critical RCE is a disgrace,” added. If their bounty table is on the lower side,” wrote.
“I hope at least in future, programs pay good bonus amount for exceptional bugs. The company paid $1,750 as a reward, a move that was criticized on Twitter. They wrote: “The vulnerability in my opinion is critical by itself and should be fixed either way.” Read more about the latest bug bounty news XSS payloads are out of scope for the company’s program, and therefore were not eligible for a separate report. The researcher also reported a lesser cross-site scripting ( XSS) vulnerability leading to HTML injection in Slack.
#Slack desktop app download code
“With any in-app redirect - logic/open redirect, HTML or JavaScript injection it’s possible to execute arbitrary code within Slack desktop apps,” a bug bounty write-up reads. The RCE bug was rated between nine and 10 on the CVSS scale. However the billion-dollar company has been slammed for offering what critics have described as a low payment for a high severity bug.īy leveraging the flaw, which has now been fixed, attackers could gain access to a users’ private conversations and passwords, among other information. The bug in the desktop application was discovered by researcher oskarsv, who reported the flaw through Slack’s HackerOne bug bounty program. Recently-patched bug could allow attackers to access private conversationsĪ critical vulnerability in business communications app Slack could allow remote code execution (RCE).
0 kommentar(er)
