Cross-site Scripting (XSS) - Reflected in erudika/scoold

Valid

Reported on

Aug 10th 2021


✍️ Description

It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.

🕵️‍♂️ Proof of Concept

https://live.scoold.com/people/avatar?url=https%3A%2F%2Fbrutelogic.com.br%2Fpoc.svg

Poc screen shot

https://drive.google.com/file/d/1aib4ht7_0gppNSnHEDrU3PkBaGK-HFwS/view?usp=sharing

💥 Impact

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

We have contacted a member of the erudika/scoold team and are waiting to hear back a month ago
Alex Bogdanovski validated this vulnerability a month ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex Bogdanovski confirmed that a fix has been merged on 1f71ee a month ago
Alex Bogdanovski has been awarded the fix bounty