DaybydayCRM

vulnerability cross site scripting
severity 9.1
language javascript
registry other

✍️ Description

Stored xss via lead title

🕵️‍♂️ Proof of Concept

First goto http://127.0.0.1:8000/leads/create and create a new lead . During creation put xss payload xss"'><img src=x onerror=alert()> in Title field and save it . Now open lead by going http://127.0.0.1:8000/leads and see xss is executed

Video -->

https://drive.google.com/file/d/1nj-PF-oEqTVhXJP1g40nL0Cow3i7ov6W/view?usp=sharing

💥 Impact

xss attack