Cross-site Scripting (XSS) - Stored in knadh/listmonk

Valid

Reported on

May 17th 2021


✍️ Description

Hello, I found stored xss on Logs while creating new campaign (works with other stuff not only campaign)

🕵️‍♂️ Proof of Concept

https://drive.google.com/file/d/1Y5CMQdfzzdWwcCsQ8y85GgWPOilJVOgo/view?usp=sharing

sorry for bad quality

Payload:

asdf"><img src=x onerror=alert(1)>

💥 Impact

xss

Kailash Nadh
a year ago

Maintainer


No permission to view the linked file on GDrive.

kirareys
a year ago

Researcher


Oh, sorry I didn't see. I uploaded it here on Youtube as unlisted https://www.youtube.com/watch?v=l7nK6FkzFIc

to join this conversation