# Summary With any in-app redirect - logic/open redirect, HTML or javascript injection it's possible to execute arbitrary code within Slack desktop apps. This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload. This exploit was tested as working on the latest Slack for desktop (4.2, 4.3.2) versions...
![Slack disclosed on HackerOne: Remote Code Execution in Slack...](https://cdn-ak-scissors.b.st-hatena.com/image/square/067fac44fb4f45830859f8e8a87f74dbcfbef937/height=288;version=1;width=512/https%3A%2F%2Fprofile-photos.hackerone-user-content.com%2Fvariants%2F000%2F000%2F069%2F683fee312381bc46cadc7ea1950abc87944d12c3_original.png%2F60f411638706d89ae3052af6fe8b88fa9a798e291deee40f6a22e81418d78d5f)