Cross-site Scripting (XSS) - Stored in combodo/itop
Jun 30th 2021
stored xss via file upload
💥 STEP TO REPRODUCE
here in this case i uploaded a html file with xss payload inside.
Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1xKqYFgrsFUfp9Ufe4XiATQcAL-Q6Mr9G/view?usp=sharing
I see there is many different type of role base user . So, user who has permission to upload document can make xss attack against higher level user or admin
Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!
The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc
We will publish ths page and the advusory in 3 monthes.
Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?
@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id