Cross-site Scripting (XSS) - Stored in alanaktion/phproject

Valid

Reported on

Feb 3rd 2022


Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the document´s content.

Proof of Concept

login and navigate > task > Dependencies 

This task depends on:
This task is a dependency for:

"><img src=x onerror=confirm(1)>
https://drive.google.com/file/d/1hBAFUZODeb1mjC_2prlJK3JoKzhyWotA/view?usp=sharing

Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

We are processing your report and will contact the alanaktion/phproject team within 24 hours. 4 months ago
We have contacted a member of the alanaktion/phproject team and are waiting to hear back 4 months ago
We have sent a follow up to the alanaktion/phproject team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. 3 months ago
Alan Hardman validated this vulnerability 3 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman confirmed that a fix has been merged on 00c6bb 3 months ago
The fix bounty has been dropped
issues.php#L24-L232 has been validated
Alan Hardman
3 months ago

Maintainer


This report was not very thorough and it was not clear how the issue could actually be reproduced. Giving more detail in the steps to reproduce the issue would be very helpful in the future.

Raptor
2 months ago

Researcher


Sir, please read the Proof of Concept steps to reproduce.

to join this conversation