Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

Valid

Reported on

Jul 3rd 2021


💥 BUG

Stored xss via group name

💥 TESTED VERSION

latest version as of 01/07/21

💥 STEP TO REPRODUCE

1. create a group with bellow xss payload in name.
group1"'><img src=x onerror=alert(22)>.
2. Now add a new user called user-B to the above group .
3. Finally visit http://localhost/online-rental/app/admin/pageViewMembers.php and see xss is executed .

We have contacted a member of the bigprof-software/online-rental-property-manager team and are waiting to hear back 5 months ago
BigProf Software confirmed that a fix has been merged on 2dc485 5 months ago
BigProf Software has been awarded the fix bounty