Html Injection in Groups in alfio-event/alf.io
Dec 7th 2022
Insert XSS payload in groups fields(Name, Description)
Proof of Concept
login to the dashboard
navigate to groups
insert Name and Description
Phishing or Response Manipulation
We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 4 months ago
Sylvain Jermini validated this vulnerability 3 months ago
hi @reza.duty you are right, the html should not be interpreted in the notification widget.
A fix is pending.
To be noted, Content-Security-Policy is blocking the js code =).
Thank you for reporting it, we appreciate it.
reza.duty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
commented 3 months ago
Thanks, Can you please request for cve
Celestino Bellone marked this as fixed in 2.0-M4-2301 with commit c1ae54 2 months ago
This vulnerability has been assigned a CVE
to join this conversation