Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Apr 23rd 2022
he software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Proof of Concept
- login as an admin
- go to https://www.rosariosis.org/demonstration/Modules.php?modname=School_Setup/PortalNotes.php
- paste payload <iframe srcdoc="<svg onload=alert(1);>"> to notes
- observe alert pop up