TeslaMotor Cross Site Scripting Vulnerability

13:17 Posted by Ali Hassan Ghori
I found some XSS issue in suppliers.teslamotors.com domain.

Steps To Reproduce:
Note: For Intercepting the Request. I used Firefox Add-on Tamper Data.

1-  Visit: https://suppliers.teslamotors.com/supplier/

2- ​Type username and password in the given fields.

3- Before Click on Login Button, Run TAMPER DATA and start to Tamper.

4- Back to Page, Click on check box "Remember me"

5- Click on Login button. Your request is now tampered by tamper data. replace parameter 'remember-me' value "1" with your {XSS payload}.

6- Click on "OK" Button.

7- XSS Pop Up !!!

Snap Shot:

TeslaMotor Cross Site Scripting Vulnerability

Video PoC: