Cross-site Scripting (XSS) - Stored in changeweb/unifiedtransform


Reported on

May 18th 2021

✍️ Description

Stored Cross Site Scripting in the message/all.blade.php.

🕵️‍♂️ Proof of Concept

As a teacher, click on "My Courses" and then "message students". CKEditor hides the underlying <textarea> where we can add <script> tag or capture the request in a proxy like burpsuite and edit the HTTP POST request. adding payload

Select the student and submit the form. Now login as the student and check messages. JavaScript code will run successfully and alert box appears: poc

💥 Impact

This vulnerability can be used to gain access to student's account as well as admin's account as the view rendered by message/all.blade.php is accessible by admin also.

Hasib Mahmud
2 years ago


@admin sorry for late response. I didn't notice your email. Can you suggest any fix for this? Thanks.

Hasib Mahmud
2 years ago


@admin Fixed the issue in the latest commit. I have used Thank you.

Hasib Mahmud validated this vulnerability 2 years ago
0xcrypto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hasib Mahmud marked this as fixed with commit 8d0641 2 years ago
Hasib Mahmud has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation