Stored XSS in "campaigns" in knadh/listmonk
Apr 30th 2022
The listmonk application is vulnerable to stored XSS in the "Name" input filed for "campaigns" for which when a user tried to delete the "campaigns" XSS gets triggered.
Proof of Concept
1.Go to "Campaigns" -> "All campaigns" -> "New"
2.Put this payload:
<img src=1 onerror=alert(document.domain)> in the "Name" input field and fill other details and click on Continue.
3.After that go to "All campaigns" you will see the payload in one of the name sections try to delete it then XSS will trigger.
This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.