Cross-site Scripting (XSS) - Generic in okTurtles/group-income-simple

Valid
Reported on Apr 19th 2021

✍️ Description

Stored xss via group name

🕵️‍♂️ Proof of Concept

ACCOUNT

  1. admin user -->attacker -->firefox browser

  2. user 2 -->victim -->chrome browser

  3. First from admin user create a group with xss payload xss"'><img src=x onerror=alert(document.domain)> . Now grab the sharing link and share with user 2 .

  4. When user 2 open this sharing link then xss is executed .

#Video Poc

https://drive.google.com/file/d/1whTiWhtoLF87d5dEJqXL1mgIv6bq-lej/view?usp=sharing

💥 Impact

Xss attack