Code Injection in collectiveaccess/providence

Valid

Reported on

Sep 25th 2021


# Description
client side injection 

 # Proof of Concept

open the https://demo.collectiveaccess.org/find/QuickSearch/Index

click on search input   the code in search bar <a href =http://google.com/>clickme</a>

https://i.ibb.co/tmB0K64/client.png

# Impact
This vulnerability is injecting malicious code into application 
We have contacted a member of the collectiveaccess/providence team and are waiting to hear back a year ago
CollectiveAccess marked this as fixed with commit aaf573 a year ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
@0xAmal
a year ago

Researcher


thanks sir

to join this conversation