Cross-site Scripting (XSS) - Stored in projectsend/projectsend

Valid

Reported on

Jul 2nd 2021

💥 BUG

Stored xss during file upload

💥 STEP TO REPRODUCE

check this 1 minute video to reproduce the bug https://drive.google.com/file/d/17TkVQxAOuXxSnlaPh4smvbJndcW-JQla/view?usp=sharing

💥 IMPACT

Lower level user can make xss attack against admin. So, using this xss bug lower level user can execute arbitary javascript in admin account

We have contacted a member of the projectsend team and are waiting to hear back 2 years ago
Ignacio Nelson validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ignacio Nelson marked this as fixed in r1337 with commit 1d045b a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation