A blind stored XSS vulnerability was discovered in Google's Invoice Submission Portal on gist-uploadmyinvoice.appspot.com by bypassing front-end PDF file validation through content-type manipulation, allowing arbitrary HTML/JavaScript execution when invoices were viewed by Google employees on googleplex.com. The vulnerability was triggered when uploaded files with modified Content-Type headers were rendered as HTML instead of PDF, executing attacker-controlled JavaScript in the context of an internal Google domain.
XSS vulnerability in Facebook Studio discovered via incorrect Content-Type header (text/html instead of application/json) that allowed malicious JavaScript to bypass client-side escaping and XSS filters by exploiting content-type sniffing behavior. The vulnerability was fixed by correcting the Content-Type header to application/json.