vulnerability cross site scripting (xss)
severity 7.6
language ruby
registry other

#SUMMURY i contacted the company directly , but they told me submit the bug through huntr

✍️ Description

Stored xss .Agent can make cross site scripting against admin


🕵️‍♂️ Proof of Concept


  1. From admin(user A) goto and add user B as Agent .

  2. Now add user B to a website widget .

  3. Now goto user B account and change full name to xss payload xss"'><img src=x onerror=alert(document.domain)>

  4. Now as a external customer sent a support chat message . User B picked up this message and make a reply .

  5. Now when Admin open this support this and mouseover over the message then xss is executed under admin account .

💥 Impact

agent can make stored xss attack against admin