[DISCLOSURE] DoorDash Enabled 5-Year XSS/HTML Injection Flaw via Official Email; VDP Misclassified Report for 15 Months

News
Yanac

The vulnerability was a critical stored HTML Injection that allowed any free account to send zero-barrier phishing emails from the trusted [no-reply@doordash.com](mailto:no-reply@doordash.com) domain. The flaw existed for 5 years and was kept out of DoorDash’s hands for 15 months by a misclassification in the HackerOne VDP process. submitted by /u/east0n12 [link] [comments]Technical Information Security Content & DiscussionRead More