Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Valid
Reported on
Feb 3rd 2022
Description
Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the document´s content.
Proof of Concept
login and navigate > task > Dependencies
This task depends on:
This task is a dependency for:
"><img src=x onerror=confirm(1)>
https://drive.google.com/file/d/1hBAFUZODeb1mjC_2prlJK3JoKzhyWotA/view?usp=sharing
Impact
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.
Occurrences
We are processing your report and will contact the
alanaktion/phproject
team within 24 hours.
4 months ago
We have contacted a member of the
alanaktion/phproject
team and are waiting to hear back
4 months ago
We have sent a
follow up to the
alanaktion/phproject
team.
We will try again in 7 days.
4 months ago
We have sent a
second
follow up to the
alanaktion/phproject
team.
We will try again in 10 days.
3 months ago
We have sent a
third and final
follow up to the
alanaktion/phproject
team.
This report is now considered stale.
3 months ago
The fix bounty has been dropped
issues.php#L24-L232
has been validated
This report was not very thorough and it was not clear how the issue could actually be reproduced. Giving more detail in the steps to reproduce the issue would be very helpful in the future.
to join this conversation