XSS via file upload
I found xss via file upload here i uploaded svg file which stored in google cloud and reflected with xss
1) login at app.xyz.com
2) go to online store >> settings >> Email Notification >> Email design
3) click edit
4) Upload the file with svg payload
5) save the file and open image in new tab
But it’s marked as duplicate
Next day I observed that bug got patched and we can’t do xss anymore.
But after I saw url changed
After URL decoding
What if I remove the convert part from url.
Oh we get pop up again
After reporting it’s got triaged