resolved
HTML Injection in LinkedIn Premium Support Chat
Bug reported by atul nagaraj was disclosed at May 7, 2025, 7:53 am |
The vulnerability exists in the LinkedIn Premium support chat interface where unsanitized HTML input was rendered directly in the chat window. An attacker could have exploited this by injecting malicious HTML such as clickable links, potentially leading to phishing or redirection attacks on LinkedIn support staff. The observed behavior was that HTML, such as `` tags, was rendered in the chat and appeared clickable to support agents. The expected behavior was that user input in chat should have been sanitized and rendered as plain text without interpreting any HTML or tags.
resolved
BAC – Bypass chatbot restrictions via unauthorized mention injection
Bug reported by _dha was disclosed at May 6, 2025, 2:24 pm |
The Gemini chatbot was found to have a vulnerability that allowed unauthorized users to bypass permission restrictions and interact with the chatbot. The vulnerability was discovered when a user manually edited the request by changing the "mention" and "configurationId" fields, which allowed them to communicate with the disabled Gemini chatbot despite not having the proper permissions.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
