CVE-2026-31381, CVE-2026-31382 Gainsight Assist Information ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed
• Blog Title: CVE-2026-31381, CVE-2026-31382: Gainsight Assist Information Disclosure and Cross-Site Scripting (FIXED)
• Suggested Section: Pentesting Web -> XSS (Cross Site Scripting) (add a subsection on WAF bypass via uncommon/browser-specific event handlers like Safari onpagereveal) and/or Pentesting Web -> OAuth to Account takeover (note about OAuth callback error parameter reflection and state/PII-in-URL pitfalls)

🎯 Content Summary

Title/Scope
Rapid7 disclosed a 2-bug chain in the Gainsight Assist plugin ecosystem involving the trusted domain app.gainsight.com used as an OAuth callback endpoint. The chain combines:
1) CVE-2026-31381 — information disclosure of user email addresses (PII) via a Base64-encoded OAuth state value present in a failure URL, and
2) CVE-2026-31382 — reflected XSS / HTML injection via error_description, with a demonstrated Safar...

🔧 Technical Details

PII leakage through OAuth callback URL parameters: If an OAuth implementation embeds sensitive identifiers (e.g., attempted login email) inside URL parameters such as state and only Base64-encodes them, any party with visibility into the URL can decode the value and harvest PII. Because URLs are frequently captured (logs, proxies, browser history), avoid placing PII in URLs; use server-side session correlation or opaque identifiers.

Reflected HTML injection/XSS via error parameters on a trusted origin: Reflecting attacker-controlled strings like error_description into an error page without strict output encoding allows content spoofing and HTML injection, producing highly convincing phishing pages hosted on a legitimate domain. If script execution becomes possible (even in a single browser), this can escalate to reflected XSS.

WAF bypass using browser-specific event handlers (Safari onpagereveal): WAF rules comm...

🤖 Agent Actions

Updated oauth-to-account-takeover.md.

I placed the content in the OAuth guide instead of the generic XSS page because the blog is mainly an OAuth callback misuse chain: attacker-controlled callback error parameters reflected on a trusted origin, plus state carrying reversible PII. The new subsection covers reflected error_description, trusted-origin phishing, Safari onpagereveal as a browser-specific/WAF-bypass angle, self-referential callback abuse, and Base64-decoded state inspection for PII leakage. I also added the Rapid7 blog and MDN pagereveal docs to the file’s ## References.

Verified with git diff; only that single file was changed.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> XSS (Cross Site Scripting) (add a subsection on WAF bypass via uncommon/browser-specific event handlers like Safari onpagereveal) and/or Pentesting Web -> OAuth to Account takeover (note about OAuth callback error parameter reflection and state/PII-in-URL pitfalls)".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0