- admin--> firefox browser normal mode--->victim
- user B --> Firefox browser private mode--->attacker
STEP TO REPRODUCE
- From admin account invite user B with lower permission
- Now from admin account create a collection .
- Now goto user B account(Firefox private mode) and open above collection . Now add a comment with bellow xss payload and see xss is executed .
xss"'><img src=x onerror=alert(2)>
- Now from admin account open above collection and see xsss is executed under admin account