Cross-site Scripting (XSS) - Stored in knadh/listmonk

Valid

Reported on

May 17th 2021

✍️ Description

Hello, I found stored xss on Logs while creating new campaign (works with other stuff not only campaign)

🕵️‍♂️ Proof of Concept

https://drive.google.com/file/d/1Y5CMQdfzzdWwcCsQ8y85GgWPOilJVOgo/view?usp=sharing

sorry for bad quality

Payload:

asdf"><img src=x onerror=alert(1)>

💥 Impact

xss

References

commented 3 years ago

Maintainer

No permission to view the linked file on GDrive.

commented 3 years ago

Researcher

Oh, sorry I didn't see. I uploaded it here on Youtube as unlisted https://www.youtube.com/watch?v=l7nK6FkzFIc

to join this conversation

commented 3 years ago

Maintainer

No permission to view the linked file on GDrive.

commented 3 years ago

Researcher

Oh, sorry I didn't see. I uploaded it here on Youtube as unlisted https://www.youtube.com/watch?v=l7nK6FkzFIc

to join this conversation