Vulnerability
Description
LinkedIn Oncall is the on-call management and scheduling system at LinkedIn. It offers highly customizable scheduling for on-call shifts, as well as a streamlined UI for editing, swapping, and overriding on-call shifts.
LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the “No results found for” message in the search bar.
Impact
If attackers can control the script which is executed in the victim’s browser, by intentionally installing RAT, then the attacker can fully compromise that user’s device
Attackers can change any information that the user is able to change
Attackers can display any information that the user is able to do
Attackers can perform any action on the user’s behalf
Recommendation
- Update LinkedIn Oncall to the latest version.
Written by
Summarize:
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 14 days
