Cross-site Scripting (XSS) - Stored in volmarg/personal-management-system

Valid

Reported on

Jul 4th 2021


ūüí• BUG

XSS via issue-name

ūüí• IMPACT

xss allow to execute arbitary javascript in vicitm account

ūüí• STEP TO REPRODUCE

1. goto http://personal-management-system.pl/my-issues/pending and create a new issue .
During creation put bellow xss payload in name field and save it.
xss"'><img src=x onerror=alert()> Now whenever you visit http://personal-management-system.pl/my-issues/pending then xsss is executed .

ūüí• VIDEO

https://drive.google.com/file/d/1_uCpFemhsu1qKuxAofi8Gmeo4d8C5KVG/view?usp=sharing

ranjit-git modified their report
5 months ago
ranjit-git
5 months ago

Researcher


plz contact them via dwlodarczyk13@tlen.pl see https://github.com/Volmarg/personal-management-system/issues/64 for more info

We have contacted a member of the volmarg/personal-management-system team and are waiting to hear back 5 months ago
ranjit-git submitted a
4 months ago
Ziding Zhang
4 months ago

Admin


Hey ranjit, contacted maintainer again via email provided from Github issue. Let's wait to hear back.

We have contacted a member of the volmarg/personal-management-system team and are waiting to hear back 4 months ago
A volmarg/personal-management-system maintainer validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
A volmarg/personal-management-system maintainer confirmed that a fix has been merged on 83d6e8 4 months ago
ranjit-git has been awarded the fix bounty