LinkedIn Oncall is the on-call management and scheduling system at LinkedIn. It offers highly customizable scheduling for on-call shifts, as well as a streamlined UI for editing, swapping, and overriding on-call shifts.
LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the “No results found for” message in the search bar.
If attackers can control the script which is executed in the victim’s browser, by intentionally installing RAT, then the attacker can fully compromise that user’s device
Attackers can change any information that the user is able to change
Attackers can display any information that the user is able to do
Attackers can perform any action on the user’s behalf