Reflected XSS via "stuffid" parameter in tsolucio/corebos

Valid

Reported on

Aug 22nd 2022


Description

The value for the stuffid parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code.

Testing Environment

  1. Windows OS
  2. Firefox Browser

Proof of Concept

  1. Visit https://demo.corebos.com/index.php?module=Home&action=HomeAjax&file=NewBlock&stuffid=nerrorsec%22%20%20onmouseover=%22alert(1)
  2. Hover over any icon displayed in the page to execute the payload.

Impact

The attacks commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
Niraj Khatiwada modified the report
a year ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
Joe Bordes validated this vulnerability a year ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8.0 with commit e41c4f a year ago
Joe Bordes has been awarded the fix bounty
to join this conversation