A reflected XSS vulnerability was discovered on admin.google.com's ServiceNotAllowed page where the 'continue' parameter was not validated, allowing attackers to inject javascript: protocol URLs that execute when the page redirects, enabling account takeover and privilege escalation of Google Apps administrators.
DOM-based XSS vulnerability in Google Crisis Map discovered by bypassing client-side URL validation via request interception, then chained with missing X-Frame-Options header to enable clickjacking attacks on published maps. The vulnerability required users to click through an overlaid iframe to trigger JavaScript execution.
An XSS vulnerability on Flickr's mobile site (m.flickr.com) was exploited by bypassing a regex-based URL validation check that failed to anchor to the start of the string, allowing an attacker to inject external URLs containing 'm.flickr.com' which were then loaded via CORS and executed as JavaScript through innerHTML.