Besides the blind XSS that I found against a Googler, I also found multiple stored XSS that executed on hire.withgoogle.com. Following are the vulnerabilities that I found:
XSS with Job Description
When we create a job in hire.withgoogle.com, we can append a job description to inform the potential candidates about the job. One thing we could do was add a hyperlink. As usual, I tried to just put
Because it was interesting to see that it had html snippets on it, I went ahead and added one more html snippet on it:
<script>alert(document.domain)</script>. After that, I went ahead and published the job. When I browsed to the job later on, it executed the XSS.
XSS in Company Name and Department Name
While I was browsing https://hire.withgoogle.com/public/jobs/securifyinccom, I clicked on a Job that I made and started checking how the information was loaded. During the process, I realized that the company name and department name was saved inside a <script> tag.
After that, I went back to my admin panel and changed my company name to simple xss payload: </script><script>alert(document.domain)</script><script>. I added this snippet to first close the <script> tag that was already open in the code and then created a XSS alert. After that to make sure the page looked neat, I reopened another <script> tag. This also worked as expected and executed on hire.withgoogle.com.