Reflected XSS on "DetailViewAjax" via "relation_id" parameter in tsolucio/corebos

Valid

Reported on

Aug 31st 2022

Description

The value of the "relation_id" parameter on the "DetailViewAjax" reflects to the source code without any sanitization. So, that leads to XSS which allows cookie stealing.

Proof of Concept

https://demo.corebos.com/index.php?module=Leads&action=LeadsAjax&file=DetailViewAjax&record=4514&ajxaction=LOADRELATEDLIST&header=Emails&relation_id=13%27%20id%3Dx%20tabindex%3D1%20onfocus%3Dalert(document.domain)%20a=&actions=add&start=#x

Impact

This vulnerability allows the attacker to inject his own JavaScript code into the "DetailViewAjax" file via crafted link.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago

Joe Bordes validated this vulnerability a year ago

Bugra has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Bordes marked this as fixed in 8.0 with commit 7cd68a a year ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation