Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Valid

Reported on

Nov 3rd 2021


Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Proof of Concept

Step to Reproduce:

  1. Go to http://demo.corebos.com/index.php?module=Users&action=DetailView&record=1&modechk=prefview
  2. add the payload : "><script>alert(1)</script> on the Last Name placeholder and save.
  3. alert pops up !!

poc image: https://ibb.co/FHQNbx7

Impact

Stored xss

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a month ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
Joe Bordes validated this vulnerability a month ago
D3lT4 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on e9f1f4 a month ago
Joe Bordes has been awarded the fix bounty