Stored Cross-Site Scripting (XSS) Vulnerability in Virtual Agent

I discovered a Stored XSS vulnerability in the Virtual Agent feature of a public program on HackerOne. The issue occurs when uploading a file containing JavaScript code, which gets executed upon viewing the file.

Vulnerability Details

Type: Stored Cross-Site Scripting (XSS)Feature Affected: Virtual AgentImpact: An attacker could execute malicious JavaScript code in the context of another user’s browser session, leading to potential session hijacking, phishing, or other malicious activities.Tested Environment: Browser on https://www.travelocity.com

Steps to Reproduce

Log in to TravelocityNavigate to the Virtual Agent

3. File Upload in Virtual Agent:

In the Virtual Agent interface, locate the file upload option.

Prepare an HTML file containing malicious JavaScript, such as:

<html>
<script>
alert("XSS triggered!");
</script>
</html>

4. Observe the Execution:

After the file is uploaded, the embedded JavaScript is executed in the browser, triggering an alert with the message:
"XSS triggered!".

Impact

This vulnerability could lead to the following risks:

Session Hijacking: An attacker could steal session cookies.Defacement: The attacker could modify the website’s appearance.Phishing: Users could be redirected to malicious websites.Data Theft: Sensitive user data could be stolen.