Hi all! This is one of the Stored XSS which I found on Eventbrite.
Steps to reproduce:
2. Go to: eventbrite. es /create
3. Put your XSS payload in this fields: State and City (Estado and Ciudad in Spanish).
4. Random values in all other fields.
5. Publish your event and go to it.
6. You will get your XSS Proof of Concept.
I reported it and I got the answer in a few hours.
"Thanks for contacting Eventbrite Security
We are fixing this issue as we speak. It is an oversight in a new UI
change to our global headers.
The actual field affected is the State field of the Venue description.
We are happy to include you on our Wall of Fame. Please provide the
name and twitter handle/URL you wish to be listed under.
Then, they added me to their Wall of Fame ;)