Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq

Valid

Reported on

Jan 14th 2022

Description

When creating a link using the editor function, the Stored XSS vulnerability occurs because a javascript scheme can be used.

Proof of Concept

1. Go to campaigns -> Mailing Campaigns -> Editor
2. Enter the URL: javascript:alert(document.domain)
3. After, Click the URL

Video : https://www.youtube.com/watch?v=OC-SLVi_u4k

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the chaskiq team within 24 hours. a year ago

Miguel Michelson Martinez validated this vulnerability a year ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

Miguel Michelson Martinez Miguel

commented a year ago

Maintainer

I've released a fix on this blocking the input that makes it possible to insert the XSS on the hiperlinks

Miguel Michelson Martinez marked this as fixed in b7f5950 with commit b7f595 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation