Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-managerValid
Reported on Jul 4th 2021
In the repo online rental property manager where i found a stored xss which gets exploited on member profile view which is lead by group name.
🕵️♂️ Proof of Concept
Video POC: https://drive.google.com/file/d/1oQUZmQfFwaiRUkGYVkJoXxedeSENDbwQ/view?usp=sharing Steps to reproduce: 1. Create a group with name s"'><img src=x onerror=alert('gn')> 2. Save and then add member. 3. Add member into newly created group 4. Save and login from member and click on member username and you will see xss exploitation.
This vulnerability is capable of Stored XSS.