We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross site scripting on contact module in tsolucio/corebos

Valid

Reported on

Mar 24th 2023

Step to reproduce

  1. Open into https://demo.corebos.com and navigate to settings > Users.
  2. Add XSS payload into Entity Name.
  3. Now navigate to contact > Create contact > Add contact and click on more information > click add opportunity.
  4. On Assign to drop menu select XSS payload and save.

XSS Payload= "><img src=x onerror=alert(1)>

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 6 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 6 months ago
Joe Bordes validated this vulnerability 4 months ago
Rahul Parmar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8 with commit 659e32 4 months ago
Joe Bordes has been awarded the fix bounty
This vulnerability has been assigned a CVE
Joe Bordes published this vulnerability 4 months ago
to join this conversation