Lucene search
Domiee13C7715149-F99C-4D62-A5C6-C78BFDB41905HistoryJun 07, 2022 - 12:10 p.m.
Bypass filter - Stored XSS in Resources
2022-06-0712:10:48
domiee13
www.huntr.dev
18
website
vulnerable
stored xss
resources module
cross-site scripting
proof of concept
firefox
rosariosis
demonstration
pop up
bug bounty
EPSS
0.001
Percentile
21.4%
Description
Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Proof of concept
javaSCRIPT:alert(origin)
Steps to reproduce [it works on Firefox (not in chromium based browsers)]
1.Go to https://www.rosariosis.org/demonstration/ and login with administrator account
- Go to
https://www.rosariosis.org/demonstration/Modules.php?modname=Resources/Resources.php
3.Create new link with content javaSCRIPT:alert(origin)
4.Click the link and observe a pop up
Image POC
https://drive.google.com/file/d/164Sk7viMV4gHvrmDykJZ9euivfoHlN-1/view?usp=sharing
https://drive.google.com/file/d/1-v6coqFoi0fQxjyak61XlH6GEFLiN2x7/view?usp=sharing
Video POC
https://drive.google.com/file/d/1JGwM0_WBShHRWnAc9l-9zY26ayZF3rSW/view?usp=sharing
Related
veracode
veracode
Cross-site Scripting (XSS)
2022-06-11 05:29:17
osv
osv
Cross site scripting in francoisjacquet/rosariosis
2022-06-10 00:00:55
CVE-2022-2036
2022-06-09 17:15:09
cvelist
cvelist
nvd
nvd
CVE-2022-2036
2022-06-09 17:15:09
prion
prion
Cross site scripting
2022-06-09 17:15:00
github
github
Cross site scripting in francoisjacquet/rosariosis
2022-06-10 00:00:55
cve
cve
CVE-2022-2036
2022-06-09 17:15:09