Hello team,


There is a website caled trustpilot.com,which gives the reviews for websites.it is giving reviews to google.com website also,where we can trigger our payload to effect the site internally via trustpilot.

steps to reproduce:

1.go to url:https://www.trustpilot.com/evaluate/www.google.com
2.now insert the payload :
"/><svg/onload=prompt(1)>
"/><img src=x onerror=prompt(1)>   into the "write your review"box.
3.you can see the payload get triggered.
4.whenever a user of google is  clicking the review of that attacker xss gets executed-it is the "STORED XSS"
5.
It would be impossible to get XSS to the frontpage, but it is possible to inject the payload to your internal tools via trustpilot.So this can also effect the google internally


i recently reported this issue to other website which is effected by trustpilot internally,they also confirmed after investigating that this can effect their website internally via trustpilot.I was not able to show my report because it is not yet disclosed yet.
let me know if information is required.thanks!
 

Deleted: Screenshot (420).png 148 KB

	Screenshot (420).png 148 KB View Download

Deleted: Screenshot (419).png 157 KB

	Screenshot (419).png 157 KB View Download