Description

I found Stored XSS in the title of the content.

Proof of Concept

Step

1.First of all, build the environment with Docker and create an administrator user.

2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. (/)

3.Next, create an account for the role of "Team Member" from "User Management" in the menu on the right side, and assign it to the project you created earlier. (/users/newUser/)

4.Then log in as a member user created in another secret tab.

5.Then select "Retrospectives" from the menu on the left and click Add More. (/retrospectives/showBoards)

6.Then, embed the following payload in "Description" and save it."/></script><script>alert(3)</script>

POST /retrospectives/retroDialog/ HTTP/1.1
Host: localhost
 ...
canvasId=&box=well&itemId=&description=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E%0D%0A&data=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(10)%3C%2Fscript%3E%0D%0A&milestoneId=&changeItem=1

7.Finally, when you access "Retrospectives" as an administrator user, a pop-up screen will be displayed.

From the above, it can be confirmed that it is possible to execute Stored XSS embedded by a normal user on the administrator screen.

Summary

-Endpoint: POST /retrospectives/retroDialog/

-Parameters: description

-Test Payload: "/></script><script>alert(3)</script>

Impact

This vulnerability can steal a user's cookie.

And it may be possible to gain unauthorized access to the user's account via the stolen cookie.