Cross-site Scripting (XSS) - Generic in projectsend/projectsend
Reported on
Jan 10th 2022
Description
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Proof of Concept
Go to below url.XSS will be popuped.
http://localhost/projectsend/manage-files.php?search=bikram<%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Impact
We can takeover user account by fetching session cookie.Lower level user can make xss attack against admin. So, using this xss bug lower level user can execute arbitary javascript in admin account