Lucene search
Quanghuy251120006FA6070E-8F7F-43AE-8A84-E36B28256123HistoryMay 29, 2023 - 7:08 a.m.
Cross-Site Scripting (Stored XSS)
2023-05-2907:08:12
quanghuy25112000
www.huntr.dev
7
cross-site scripting
stored xss
association's web link
proof of concept
bug bounty
administrator role
EPSS
0.001
Percentile
34.5%
Description
With Association’s board role, i can add a new web link. But, when i create a link, in Link name input field can insert an onfocus/autofocus attribute because do not processing for double quote.
Proof of Concept
- Login by account with Association’s board role
- Access funtion Web links and create new link
- Fill all input, at Link name input field, use payload xss" onfocus="alert(document.domain) and save
- Login by account with Administrator role
- Access funtion Web links and perform edit Web link
- XSS payload will be automatically executed
Related
osv
osv
CVE-2023-3109
2023-06-05 16:15:09
Admidio vulnerable to Cross-site Scripting
2023-06-05 18:30:27
gitlab
gitlab
cvelist
cvelist
CVE-2023-3109 Cross-site Scripting (XSS) - Stored in admidio/admidio
2023-06-05 00:00:00
veracode
veracode
Cross-Site Scripting (XSS)
2023-06-20 06:43:08
prion
prion
Cross site scripting
2023-06-05 16:15:00
github
github
Admidio vulnerable to Cross-site Scripting
2023-06-05 18:30:27
nvd
nvd
CVE-2023-3109
2023-06-05 16:15:09
cve
cve
CVE-2023-3109
2023-06-05 16:15:09