From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Title: XSS in hidden input fields 2. Author: Gareth Heyes 3. Published Date: 16 November 2015 at 11:25 UTC 4. Updated Date: 14 June 2019 at 12:03 UTC 5. Vulnerability Description: - XSS in hidden inputs is often very difficult to exploit because typical JavaScript events like and cannot be triggered due to the element being invisible. - The author decided to investigate further to see if exploitation was possible on modern browsers. They discovered that the event is triggered on a hidden input when activated via an access key. - The vector used was: - This vector is not ideal as it requires some user interaction, but it is significantly better than which only works on IE≤9. 6. How It Works: - The author considered access keys and wondered whether the event would be triggered on a hidden input when activated via an access key. - They found that this works in Firefox, where the key combination is on Windows and on OS X. - You can specify a different key combination by using a different character in the attribute. 7. Update: - The technique now works in Chrome and with / elements and any other elements. - It also works with elements where you only control attributes — these can be exploited using this technique. - For example, if you have a element with a attribute set to , and you inject the attribute along with an event, you achieve XSS. - The vector used is: 8. POC: - A proof-of-concept using elements is available. - The author suggests visiting the Web Security Academy to learn more about cross-site scripting (XSS). This information provides a detailed explanation of how to exploit XSS in hidden input fields and how to trigger the event via access keys to execute XSS attacks.