Rxss in msg parameter in unilogies/bumsys

Valid

Reported on

Feb 21st 2023

Affected url Affected parameter : msg

It appear that html tags are rendered in the page via msg parameter. So I tried <body> tag and it work, so i tried adding event handlers in this case onpageshow=alert(document.domain)and it trigred xss.

POC : https://demo.bumsys.org/print/?msg=%3Cbody%20onpageshow=alert(document.domain)%3E

Impact

it could lead to steal data using javascript execution.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a month ago

mukundbhuva modified the report

a month ago

mukundbhuva modified the report

a month ago

Khurshid Alam validated this vulnerability a month ago

mukundbhuva has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Khurshid Alam marked this as fixed in 2.0.0 with commit eb805f a month ago

Khurshid Alam has been awarded the fix bounty

This vulnerability will not receive a CVE

Khurshid Alam published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a month ago

mukundbhuva modified the report

a month ago

mukundbhuva modified the report

a month ago

Khurshid Alam validated this vulnerability a month ago

mukundbhuva has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Khurshid Alam marked this as fixed in 2.0.0 with commit eb805f a month ago

Khurshid Alam has been awarded the fix bounty

This vulnerability will not receive a CVE

Khurshid Alam published this vulnerability a month ago

to join this conversation