Reflected XSS via "stuffid" parameter in tsolucio/corebos

Valid

Reported on

Aug 22nd 2022


Description

The value for the stuffid parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code.

Testing Environment

  1. Windows OS
  2. Firefox Browser

Proof of Concept

  1. Visit https://demo.corebos.com/index.php?module=Home&action=HomeAjax&file=NewBlock&stuffid=nerrorsec%22%20%20onmouseover=%22alert(1)
  2. Hover over any icon displayed in the page to execute the payload.

Impact

The attacks commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 3 months ago
nerrorsec modified the report
3 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 3 months ago
Joe Bordes validated this vulnerability 3 months ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8.0 with commit e41c4f 3 months ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation