Cross-site Scripting (XSS) - Stored in combodo/itop
Jun 30th 2021
stored xss via file upload
💥 STEP TO REPRODUCE
here in this case i uploaded a html file with xss payload inside.
Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1xKqYFgrsFUfp9Ufe4XiATQcAL-Q6Mr9G/view?usp=sharing
I see there is many different type of role base user . So, user who has permission to upload document can make xss attack against higher level user or admin