Cross-site Scripting (XSS) - Reflected in francoisjacquet/rosariosis

Valid

Reported on

May 21st 2022


Description

I find Relected XSS in search function.

Proof of Concept

1.Login with admin or teacher account

2.Access this url: https://www.rosariosis.org/demonstration/Modules.php?discipline_entry_begin=2022-05-219195%27);alert(1);//%27&discipline_entry_end=2022-05-21&modname=Discipline/Referrals.php&search_modfunc=list -> Script will be reflected in onclick and onkeypress events.

3.When victim try to type anything on search input field or click on search icon -> Alert box will pop up

Image

  • XSS trigger

1

  • Script Reflected in some event

2

Impact

This vulnerability is capable of Cross-Site Scripting

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
François Jacquet validated this vulnerability a month ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on bfe6e0 a month ago
François Jacquet has been awarded the fix bounty
to join this conversation