Code Injection in collectiveaccess/providence

Valid

Reported on

Sep 25th 2021

# Description
client side injection 

 # Proof of Concept

open the https://demo.collectiveaccess.org/find/QuickSearch/Index

click on search input   the code in search bar <a href =http://google.com/>clickme</a>

https://i.ibb.co/tmB0K64/client.png

# Impact
This vulnerability is injecting malicious code into application

References

https://owasp.org/www-project-mobile-top-10/2014-risks/m7-client-side-injection

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 years ago

CollectiveAccess marked this as fixed with commit aaf573 2 years ago

CollectiveAccess has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Researcher

thanks sir

to join this conversation

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 years ago

CollectiveAccess marked this as fixed with commit aaf573 2 years ago

CollectiveAccess has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Researcher

thanks sir

to join this conversation