Cross-site Scripting (XSS) - Stored in alanaktion/phproject

Valid

Reported on

Feb 3rd 2022


Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. Then, the vulnerability can be triggered when the user previews the document´s content.

Proof of Concept

login and navigate > task > Dependencies 

This task depends on:
This task is a dependency for:

"><img src=x onerror=confirm(1)>
https://drive.google.com/file/d/1hBAFUZODeb1mjC_2prlJK3JoKzhyWotA/view?usp=sharing

Impact

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.

We are processing your report and will contact the alanaktion/phproject team within 24 hours. 2 years ago
We have contacted a member of the alanaktion/phproject team and are waiting to hear back 2 years ago
We have sent a follow up to the alanaktion/phproject team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the alanaktion/phproject team. We will try again in 14 days. 2 years ago
Alan Hardman validated this vulnerability 2 years ago
aravindd007 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman marked this as fixed in 1.7.13 with commit 00c6bb 2 years ago
The fix bounty has been dropped
issues.php#L24-L232 has been validated
Alan Hardman
2 years ago

Maintainer


This report was not very thorough and it was not clear how the issue could actually be reproduced. Giving more detail in the steps to reproduce the issue would be very helpful in the future.

Raptor
2 years ago

Researcher


Sir, please read the Proof of Concept steps to reproduce.

to join this conversation