A researcher discovered a stored blind XSS vulnerability in GoDaddy's internal customer support CRM panel by injecting malicious payloads into first/last name fields that triggered when support agents accessed customer accounts, allowing potential session hijacking and account manipulation. The vulnerability was reported through GoDaddy's bug bounty program, marked as a known duplicate, and remediated through input filtering rather than output encoding.
A bug bounty writeup covering three reflected XSS vulnerabilities discovered on a Synack program: one via JavaScript protocol in a referrer header parameter, one via password-check parameter bypass in account details modification, and one via insufficient input filtering in an email recovery parameter.