LinkedIn Oncall 1.4.0 XSS

By
Anandhu Krishnan
Published on
10 Jan 2022
Vulnerability

Description

LinkedIn Oncall is the on-call management and scheduling system at LinkedIn. It offers highly customizable scheduling for on-call shifts, as well as a streamlined UI for editing, swapping, and overriding on-call shifts.

LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the “No results found for” message in the search bar.

Impact

  • If attackers can control the script which is executed in the victim’s browser, by intentionally installing RAT, then the attacker can fully compromise that user’s device

  • Attackers can change any information that the user is able to change

  • Attackers can display any information that the user is able to do

  • Attackers can perform any action on the user’s behalf

Recommendation

  • Update LinkedIn Oncall to the latest version.
Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Start free trial