Code Injection in tsolucio/corebos


Reported on

Nov 6th 2021


The user can control a point and infuse arbitrary HTML code into a vulnerable web page. This vulnerability can have numerous results, like disclosure of a user’s session treats that might be utilized to impersonate the victim, or, more generally, it can permit the aggressor to alter the page substance seen by the victims.

Proof of Concept

Go to::

// (Content Injection Length)

import webbrowser

payload = "| 7h3h4ckv157 |" * 354
url = "" + payload + "&module=Home"


HTML Injection: Malicious URL + Content

An injection permits the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to recognize genuine parts from malicious parts of the page, and subsequently will parse and execute the entire page within the victim’s context. Attacker is able to control an input point and is able to inject subjective HTML code into a vulnerable web page.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 2 years ago
Joe Bordes validated this vulnerability 2 years ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed with commit ba92bb 2 years ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation