Cross-site Scripting (XSS) - Reflected in francoisjacquet/rosariosis

Valid

Reported on

May 21st 2022

Description

I find Relected XSS in search function.

Proof of Concept

1.Login with admin or teacher account

2.Access this url: https://www.rosariosis.org/demonstration/Modules.php?discipline_entry_begin=2022-05-219195%27);alert(1);//%27&discipline_entry_end=2022-05-21&modname=Discipline/Referrals.php&search_modfunc=list -> Script will be reflected in onclick and onkeypress events.

3.When victim try to type anything on search input field or click on search icon -> Alert box will pop up

Image

XSS trigger

Script Reflected in some event

Impact

This vulnerability is capable of Cross-Site Scripting

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago

François Jacquet validated this vulnerability 2 years ago

dungtuanha has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

François Jacquet marked this as fixed in 9.0 with commit bfe6e0 2 years ago

François Jacquet has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation