Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

Reported on Jul 3rd 2021

✍️ Description

Stored xss in pageTransferOwnership.php where sourceMemberID parameter leads to xss which gets stored in pageViewRecords.php

🕵️‍♂️ Proof of Concept

Steps to reproduce:
1. Go to admin account
2. Visit URL <localhost>/app/admin/pageTransferOwnership.php?sourceGroupID=2&sourceMemberID="><script>alert(1)</script>

💥 Impact

This vulnerability is capable of Stored XSS.

x3rz modified their report
23 days ago
We have contacted a member of the bigprof-software/online-rental-property-manager team and are waiting to hear back 23 days ago
BigProf Software validated this vulnerability 23 days ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 2dc485 23 days ago
BigProf Software has been awarded the fix bounty