Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Valid
Reported on
Feb 3rd 2022
Description
Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the document´s content.
Proof of Concept
login and navigate > task > Dependencies
This task depends on:
This task is a dependency for:
"><img src=x onerror=confirm(1)>
https://drive.google.com/file/d/1hBAFUZODeb1mjC_2prlJK3JoKzhyWotA/view?usp=sharing
Impact
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.
Occurrences
We are processing your report and will contact the
alanaktion/phproject
team within 24 hours.
a year ago
We have contacted a member of the
alanaktion/phproject
team and are waiting to hear back
a year ago
We have sent a
follow up to the
alanaktion/phproject
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
alanaktion/phproject
team.
We will try again in 10 days.
a year ago
We have sent a
third and final
follow up to the
alanaktion/phproject
team.
This report is now considered stale.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
issues.php#L24-L232
has been validated
This report was not very thorough and it was not clear how the issue could actually be reproduced. Giving more detail in the steps to reproduce the issue would be very helpful in the future.
to join this conversation