Besides the blind XSS that I found against a Googler, I also found multiple stored XSS that executed on hire.withgoogle.com. Following are the vulnerabilities that I found:

XSS with Job Description

When we create a job in hire.withgoogle.com, we can append a job description to inform the potential candidates about the job. One thing we could do was add a hyperlink. As usual, I tried to just put javascript:alert(document.domain) but there was some check which prevented it in the front-end. So I went ahead and intercepted the request. This is a sample of what the request parameter looked like:

Because it was interesting to see that it had html snippets on it, I went ahead and added one more html snippet on it: <script>alert(document.domain)</script>. After that, I went ahead and published the job. When I browsed to the job later on, it executed the XSS.

XSS in Company Name and Department Name

While I was browsing https://hire.withgoogle.com/public/jobs/securifyinccom, I clicked on a Job that I made and started checking how the information was loaded. During the process, I realized that the company name and department name was saved inside a <script> tag.

After that, I went back to my admin panel and changed my company name to simple xss payload: </script><script>alert(document.domain)</script><script>. I added this snippet to first close the <script> tag that was already open in the code and then created a XSS alert. After that to make sure the page looked neat, I reopened another <script> tag. This also worked as expected and executed on hire.withgoogle.com.