Stored XSS on add Group Name in causefx/organizr

Valid

Reported on

Apr 12th 2022

Description

XSS found on function add Group Name on User Management module at Organizr (2.1.1810).

Proof of Concept

Go to User Management -> Manage Group
Add new group
Insert payload on "Group Name" field then Add Group

Payload

"><script >alert("xss-here");</script>

Screenshot

Impact

This vulnerability is capable of executing a malicious javascript code in web page and stealing user's session and also obtain sensitive information.

Occurrences

organizr.class.php L6467-L6502

We are processing your report and will contact the causefx/organizr team within 24 hours. 2 years ago

causefx

commented 2 years ago

Maintainer

This is already fixed in dev branch.

causefx validated this vulnerability 2 years ago

din has been awarded the disclosure bounty

The fix bounty is now up for grabs

causefx marked this as fixed in 2.1.1830 with commit a09d83 2 years ago

causefx has been awarded the fix bounty

This vulnerability will not receive a CVE

organizr.class.php#L6467-L6502 has been validated

din

commented 2 years ago

Researcher

noted. thanks for validating this

causefx

commented 2 years ago

Maintainer

No worries, thank you submitting it.

to join this conversation

We are processing your report and will contact the causefx/organizr team within 24 hours. 2 years ago

causefx

commented 2 years ago

Maintainer

This is already fixed in dev branch.

causefx validated this vulnerability 2 years ago

din has been awarded the disclosure bounty

The fix bounty is now up for grabs

causefx marked this as fixed in 2.1.1830 with commit a09d83 2 years ago

causefx has been awarded the fix bounty

This vulnerability will not receive a CVE

organizr.class.php#L6467-L6502 has been validated

din

commented 2 years ago

Researcher

noted. thanks for validating this

causefx

commented 2 years ago

Maintainer

No worries, thank you submitting it.

to join this conversation