Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc

Valid

Reported on

Aug 29th 2021


✍️ Description

Stored xss bug allow to execute arbitary javascript code in vicitm account

🕵️‍♂️ Proof of Concept

1. First create a document and put bellow xss payload inside document content .
xss"''><img src=x onerror=alert()>
2. Now any user view this document project then xss is executed

VIDEO POC --> https://drive.google.com/file/d/1oT1sfXJy31QFXCsC4SCe1IM9FrRftg5m/view?usp=sharing

💥 Impact

Stored xss bug allow to execute arbitary javascript code in vicitm account

📍 Location apps.py#L3

Occurrences

ranjit-git modified the report
a year ago
Z-Old
a year ago

Admin


Hey ranjit, I've just contacted the repo maintainer for you.

We have contacted a member of the zmister2016/mrdoc team and are waiting to hear back a year ago
zmister2016 validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
zmister2016 marked this as fixed with commit 46ef53 a year ago
zmister2016 has been awarded the fix bounty
This vulnerability will not receive a CVE
apps.py#L3 has been validated
to join this conversation