Cross-site Scripting (XSS) - Stored in projectsend/projectsend

Valid

Reported on

Jul 2nd 2021


💥 BUG

Stored xss during file upload

💥 STEP TO REPRODUCE

check this 1 minute video to reproduce the bug https://drive.google.com/file/d/17TkVQxAOuXxSnlaPh4smvbJndcW-JQla/view?usp=sharing

💥 IMPACT

Lower level user can make xss attack against admin. So, using this xss bug lower level user can execute arbitary javascript in admin account

We have contacted a member of the projectsend team and are waiting to hear back 7 months ago
Ignacio Nelson validated this vulnerability 23 days ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ignacio Nelson confirmed that a fix has been merged on 1d045b 23 days ago
The fix bounty has been dropped