Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Dec 9th 2021
Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document.
Proof of Concept
https://demo.corebos.com/index.php?module=Users&action=index&parenttab=Settings settings >users >Editing users "Administrator" 4. Signature >sources POC https://drive.google.com/file/d/1lddcq22RjFDf317inKo_tdPQcMUkeiiE/view?usp=sharing https://drive.google.com/file/d/1CCyYY44pa2l5Zfge4-FHBNDnpeMKKsOI/view?usp=sharing XSS Payload https://drive.google.com/file/d/1qSuKtzButCGbXCHnwFUll3FNJ-gxB-eH/view?usp=sharing
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.