Cross-site Scripting (XSS) - Stored in combodo/itop

Valid

Reported on

Jun 30th 2021

💥 BUG

stored xss via problem title

💥 STEP TO REPRODUCE

Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1n7ni3y5LNkK2ntrTTvVNLNOEmf2iKReO/view?usp=sharing

💥 Impact

I see there is many different type of role base user . So, user who has permission to create problem can make xss attack against higher level user or admin

ranjit-git modified the report

2 years ago

Z-Old

commented 2 years ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 2 years ago

A combodo/itop maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

Pierre Goiffon

commented 3 months ago

Maintainer

This vulnerability wasn't reproduced on iTop 2.7.* It was fixed in iTop 3.0.0-beta3 (N°4127) Corresponding GitHub security advisory : Fix XSS vulnerability in object attribute's tooltip · Advisory · Combodo/iTop

Pierre Goiffon marked this as fixed in 3.0.0-beta4 with commit 53fd41 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Aug 12th 2021

Pierre Goiffon published this vulnerability 3 months ago

to join this conversation