The organizr application allows malicious javascript payload in multiple-input fields like “Categories”, “Bookmark Tabs” and “Bookmark Categories” for which attacker can takeover the admin account.
1.Login to the co-admin account and go to go to “Settings” -> “Tab Editor”.
2.Now in “Categories”, “Bookmark Tabs” and “Bookmark Categories” Add options insert the below payloads:
<img src>
<img src>
<img src>
3.Then login with the admin account and go to “Settings” -> “Tab Editor” and visit the “Categories”, “Bookmark Tabs” and “Bookmark Categories” and you will see XSS will trigger in all those fields.
https://drive.google.com/file/d/1n9FvXxzzmvtZc4VsdzOHl0oPxSnSDpMy/view?usp=sharing