Key Information Vulnerability Type Stored XSS: Stored Cross-Site Scripting Affected Versions Todoist App v8484 Vulnerability Description Exploiting the avatar upload feature, unrestricted file upload and insufficient content type validation allow uploading a PNG file containing malicious JavaScript. When users view or render these images, the stored XSS is triggered. Attack Vector Affected Pages: - https://app.todoist.com/app/project/ - https://app.todoist.com/app/tasks/ Attack Method Create a PNG file containing malicious script and inject it into the comment field. Example command: Content Type Bypass When uploading via Burp Suite, the Content-Type header is modified to . Request Example POST Request Example: Result Successfully uploaded and stored on cloudfront.net; when previewed or rendered, the malicious JavaScript is executed. CDN Link Example link: Summary This vulnerability allows attackers to upload malicious PNG files and execute arbitrary JavaScript code within the comment fields of the Todoist platform, thereby attacking other users.