Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

Valid

Reported on

May 2nd 2022


Description

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

  • it works on firefox (not in chromium based browsers)
  • login as admin
  • go to https://www.rosariosis.org/demonstration/Modules.php?modname=Resources/Resources.php
  • create link with payload JaVasCrIpT:alert(1)

  • click the link
  • observe the pop up

Impact

Every user clicking the link can be affected by malicious javascript code created by the attacker.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 22 days ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 21 days ago
François Jacquet validated this vulnerability 20 days ago
intrapus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on 10135c 20 days ago
François Jacquet has been awarded the fix bounty
Resources.php#L5-L58 has been validated
to join this conversation