Lucene search

K
huntrThelabda98E935F3-4213-4088-9E73-338C59A75246
HistorySep 02, 2021 - 9:30 a.m.

Cross-site Scripting (XSS) - Stored in leantime/leantime

2021-09-0209:30:47
thelabda
www.huntr.dev
10
cross-site scripting
stored
leantime
research menu
payload
session identifiers
confidentiality

✍️ Description

A malicious actor is able to add β€œnew board” with a malicious payload to any target, and upon opening the research menu, the XSS payload is being executed.

πŸ•΅οΈβ€β™‚οΈ Proof of Concept

1; Log in with a proper roled user
2; Add a new board to the system at research menu on the left
3; Insert the following payload in the name field: <script>alert(document.cookie)</script>
4; Open the research menu, and the xss payload is being executed.

πŸ’₯ Impact

With such opprotunity, the malicious actor is able to gather session identifiers from any users. Upon receiving this information, the Confidentiality, Integrity is compromised of the target’s account.