Cross-site Scripting (XSS) - Stored in notrinos/notrinoserp

Valid

Reported on

May 8th 2022


Description

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

Add Item,And name is payload (<script>alert(location)</script>). https://drive.google.com/file/d/148ERlRpfmNDpNXY4X3sW8SqP_UOmute8/view?usp=sharing

Click Item list,xss is executed. https://drive.google.com/file/d/1ITonDK4LRg4fEsL8FY7-1G7dTwIhqlJo/view?usp=sharing https://drive.google.com/file/d/1eMU6WD6ZZiqCKE9f08iUKFjJo2fRJyeg/view?usp=sharing

Impact

Every user clicking the menu can be affected by malicious javascript code created by the attacker.

We are processing your report and will contact the notrinos/notrinoserp team within 24 hours. 5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the notrinos/notrinoserp team and are waiting to hear back a month ago
Phương gave praise a month ago
The problem has been reproduced and fixed. Thanks @nickshadows
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Phương validated this vulnerability a month ago
Nick has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Phương confirmed that a fix has been merged on 036277 a month ago
The fix bounty has been dropped
Nick
a month ago

Researcher


@admin can you pls assign a CVE for this?

Jamie Slome
a month ago

Admin


Same here, happy to proceed with a CVE once we get the go-ahead from the maintainer 👍

Nick
a month ago

Researcher


@maintainer , I would be glad if you could approve for CVE.

Phương
a month ago

Maintainer


Same here, happy to proceed with a CVE once we get the go-ahead from the maintainer 👍

@admin yes please go ahead

Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation