Reflected XSS via "stuffid" parameter in tsolucio/corebos

Valid

Reported on

Aug 22nd 2022


Description

The value for the stuffid parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code.

Testing Environment

  1. Windows OS
  2. Firefox Browser

Proof of Concept

  1. Visit https://demo.corebos.com/index.php?module=Home&action=HomeAjax&file=NewBlock&stuffid=nerrorsec%22%20%20onmouseover=%22alert(1)
  2. Hover over any icon displayed in the page to execute the payload.

Impact

The attacks commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a month ago
nerrorsec modified the report
a month ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
Joe Bordes validated this vulnerability a month ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes confirmed that a fix has been merged on e41c4f a month ago
Joe Bordes has been awarded the fix bounty
to join this conversation