Cross-site Scripting (XSS) - Generic in okTurtles/group-income-simple

Reported on Apr 19th 2021

✍️ Description

Stored xss via group name

🕵️‍♂️ Proof of Concept


  1. admin user -->attacker -->firefox browser

  2. user 2 -->victim -->chrome browser

  3. First from admin user create a group with xss payload xss"'><img src=x onerror=alert(document.domain)> . Now grab the sharing link and share with user 2 .

  4. When user 2 open this sharing link then xss is executed .

#Video Poc

💥 Impact

Xss attack