Cross-site Scripting (XSS) - Generic in okTurtles/group-income-simple

Valid
Reported on Apr 19th 2021

✍️ Description

Stored xss via giving

🕵️‍♂️ Proof of Concept

  1. There is a group called testing2. user A and user B both are member in those group .
  2. Now user B (user 2) goto http://user-xx:8000/app/contributions in above group contribution and add a Giving with bellow xss payload xss"'><img src=x onerror=alert(document.domain)>
  3. Now xss will be executed in user A account .

VIDEO POC-->

https://drive.google.com/file/d/1_0CuUGHRBNqFevqslIn7uzEkkFog-wSw/view?usp=sharing

💥 Impact

XSS