LinkedIn Oncall 1.4.0 XSS

By
Anandhu Krishnan
Published on
10 Jan 2022
Vulnerability

Description

LinkedIn Oncall is the on-call management and scheduling system at LinkedIn. It offers highly customizable scheduling for on-call shifts, as well as a streamlined UI for editing, swapping, and overriding on-call shifts.

LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the “No results found for” message in the search bar.

Impact

  • If attackers can control the script which is executed in the victim’s browser, by intentionally installing RAT, then the attacker can fully compromise that user’s device

  • Attackers can change any information that the user is able to change

  • Attackers can display any information that the user is able to do

  • Attackers can perform any action on the user’s behalf

Recommendation

  • Update LinkedIn Oncall to the latest version.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.