DaybydayCRM

vulnerability cross site scripting
severity 7
language javascript
registry other

✍️ Description

Stored xss callender title

🕵️‍♂️ Proof of Concept

First goto http://127.0.0.1:8000/appointments/calendar and create a new appointment. During creation put xss payload xss"'><img src=x onerror=alert()> in Title field and save it . Now open callender by going http://127.0.0.1:8000/appointments/calendar and see xss is executed

Video

https://drive.google.com/file/d/1fOuDt_A1QeYJNMcnM9l-8zg--0BC3hQs/view?usp=sharing

[c](javAsCriPt://example.com//%0aprompt();//http://asda.com)

💥 Impact

xss attack