Cross-site Scripting (XSS) - Stored in Dolibarr/dolibarr

Valid
Reported on May 17th 2021

💥 BUG

Stored xss bypassing xss filter

💥 SUMMURY

There are many different user with different role . Here using this xss bug lower level user can make xss attack against higher level user

💥 PAYLOAD

<a href="javascript:alert(document.domain)">XSS15</a>

💥 STEP TO REPRODUCE

  1. First goto your account and edit a product . Now put above xss payload in Description field and save it . Now click the link of above payload and see xss is executed

💥 VIDEO

https://drive.google.com/file/d/1gfDTFGsBKW73uRtmUM3D_4Qcb0B4Ez03/view?usp=sharing