Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-webapp-workflow
Aug 20th 2021
🕵️♂️ Proof of Concept
- Sign in to the application as admin
- Go to workflows
- Edit workflow and set the label of any element to below payload:
<img src=x onerror=alert(document.domain)>
The alert should pop-up and if you save it, then you can refresh the page and it should still be there.