Cross-site Scripting (XSS) - Reflected in erudika/scoold

Valid

Reported on

Aug 10th 2021

✍️ Description

It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.

🕵️‍♂️ Proof of Concept

https://live.scoold.com/people/avatar?url=https%3A%2F%2Fbrutelogic.com.br%2Fpoc.svg

Poc screen shot

https://drive.google.com/file/d/1aib4ht7_0gppNSnHEDrU3PkBaGK-HFwS/view?usp=sharing

💥 Impact

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

Occurrences

ProfileController.java L18-L256

References

https://owasp.org/www-community/attacks/xss/

We have contacted a member of the erudika/scoold team and are waiting to hear back 2 years ago

Alex Bogdanovski validated this vulnerability 2 years ago

Raptor has been awarded the disclosure bounty

The fix bounty is now up for grabs

Alex Bogdanovski marked this as fixed with commit 1f71ee 2 years ago

Alex Bogdanovski has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the erudika/scoold team and are waiting to hear back 2 years ago

Alex Bogdanovski validated this vulnerability 2 years ago

Raptor has been awarded the disclosure bounty

The fix bounty is now up for grabs

Alex Bogdanovski marked this as fixed with commit 1f71ee 2 years ago

Alex Bogdanovski has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation