bug-bounty490
google398
microsoft329
xss293
facebook288
rce199
exploit191
apple187
malware173
cve127
account-takeover113
bragging-post101
csrf86
privilege-escalation85
phishing81
browser80
supply-chain67
writeup66
dos66
stored-xss64
react64
authentication-bypass62
reflected-xss57
cloudflare56
node55
reverse-engineering53
ssrf51
aws51
docker50
input-validation48
access-control47
cross-site-scripting46
oauth46
smart-contract45
web345
ethereum43
defi42
sql-injection42
lfi41
web-security40
info-disclosure40
cloud39
web-application39
race-condition38
pentest37
ctf36
idor35
burp-suite35
vulnerability-disclosure34
html-injection33
0
8/10
Steam Inventory Helper Chrome extension v1.13.6 suffered from a DOM-based XSS in bookmarks.html combined with clickjacking via over-permissive web_accessible_resources, allowing arbitrary JavaScript execution in the extension's privileged context and hijacking of all authenticated websites. The vulnerability exploits jQuery's unsafe DOM manipulation APIs (html/append) paired with unsafe-eval CSP directive, weaponized through UI redressing to trick users into pasting XSS payloads.
dom-xss
clickjacking
chrome-extension
uxss
csp-bypass
jquery-vulnerability
unsafe-eval
web-accessible-resources
ui-redressing
privilege-escalation
Steam Inventory Helper
Matthew Bryant
Chrome