Cross-site Scripting (XSS) - Stored in alanaktion/phproject

Valid

Reported on

Feb 3rd 2022


Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the document´s content.

Proof of Concept

login and navigate > task > Dependencies 

This task depends on:
This task is a dependency for:

"><img src=x onerror=confirm(1)>
https://drive.google.com/file/d/1hBAFUZODeb1mjC_2prlJK3JoKzhyWotA/view?usp=sharing

Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

We are processing your report and will contact the alanaktion/phproject team within 24 hours. a year ago
We have contacted a member of the alanaktion/phproject team and are waiting to hear back a year ago
We have sent a follow up to the alanaktion/phproject team. We will try again in 7 days. a year ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. a year ago
Alan Hardman validated this vulnerability a year ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman marked this as fixed in 1.7.13 with commit 00c6bb a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
issues.php#L24-L232 has been validated
Alan Hardman
a year ago

Maintainer


This report was not very thorough and it was not clear how the issue could actually be reproduced. Giving more detail in the steps to reproduce the issue would be very helpful in the future.

Raptor
a year ago

Researcher


Sir, please read the Proof of Concept steps to reproduce.

to join this conversation