Stored XSS on add Group Name in causefx/organizr

Valid

Reported on

Apr 12th 2022


Description

XSS found on function add Group Name on User Management module at Organizr (2.1.1810).

Proof of Concept

  1. Go to User Management -> Manage Group
  2. Add new group
  3. Insert payload on "Group Name" field then Add Group

Payload

  1. "><script >alert("xss-here");</script>

Screenshot

  1. xss-triger
  2. version
  3. document cookie

Impact

This vulnerability is capable of executing a malicious javascript code in web page and stealing user's session and also obtain sensitive information.

We are processing your report and will contact the causefx/organizr team within 24 hours. a month ago
causefx
a month ago

Maintainer


This is already fixed in dev branch.

causefx validated this vulnerability a month ago
din has been awarded the disclosure bounty
The fix bounty is now up for grabs
causefx confirmed that a fix has been merged on a09d83 a month ago
causefx has been awarded the fix bounty
din
a month ago

Researcher


noted. thanks for validating this

causefx
a month ago

Maintainer


No worries, thank you submitting it.

to join this conversation