Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

Reported on Jul 4th 2021

✍️ Description

In the repo online rental property manager where i found a stored xss which gets exploited on member profile view which is lead by group name.

🕵️‍♂️ Proof of Concept

Video POC:

Steps to reproduce:
1. Create a group with name s"'><img src=x onerror=alert('gn')>
2. Save and then add member.
3. Add member into newly created group 
4. Save and login from member and click on member username and you will see xss exploitation.

💥 Impact

This vulnerability is capable of Stored XSS.

We have contacted a member of the bigprof-software/online-rental-property-manager team and are waiting to hear back 22 days ago
BigProf Software validated this vulnerability 16 days ago
0daksh0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 3cd1e1 16 days ago
BigProf Software has been awarded the fix bounty