Stored XSS in LibreOffice

Without wasting any time, let’s dive in. Over time, I’ve realized that bug bounty hunting is a blend of luck and hard work. You don’t always have to put in a ton of effort — sometimes, bugs just fall into your lap.

One day, I was randomly surfing YouTube and suddenly I got a mail saying that LibreOffice had launched their bug bounty program on Intigriti, which is now closed. I immediately checked the scope, but since I wasn’t familiar with binary exploitation at the time, I decided to focus on the web assets.

After about 20 minutes, I noticed an interesting feature that allowed users to upload extensions. Additionally, there was an option to add screenshots of the extensions you created. Suddenly, I remembered a HackerOne report (https://hackerone.com/reports/964550) where the researcher was able to trigger an alert by including an XSS payload in a file.

You can read more about it here:https://shahjerry33.medium.com/xss-via-exif-data-the-p2-elevator-d09e7b7fe9b9

So I uploaded the payload : PNG

Lol”><script>alert(prompt(‘Xss By Bunny0417’))</script>
/-{IDATx E K s 9xd$# J %IR$ ( s 9Ñ evnv > q ;;;S U . = = ܿ BCb QHyԑEYՑ s$s T : x 8 إ }2` 0P @ ( j ( D J d %[

You have to find the reflection point to see the payload working which i cannot disclose for obvious reasons.But after finding it I saw my payload working :)

This was my first 4 digit bounty :)

BB TIP : Always keep an eye on new programs you can use this website — https://bbradar.io/ and always try to read hacker-one disclosed reports. Remember you cant find something that you don’t know about. Best of luck for your journey.