Cross-site Scripting (XSS) - Stored in knadh/listmonk

Valid
Reported on May 17th 2021

✍️ Description

Hello, I found stored xss on Logs while creating new campaign (works with other stuff not only campaign)

🕵️‍♂️ Proof of Concept

https://drive.google.com/file/d/1Y5CMQdfzzdWwcCsQ8y85GgWPOilJVOgo/view?usp=sharing

sorry for bad quality

Payload:

asdf"><img src=x onerror=alert(1)>

💥 Impact

xss