The application allows img tag & src attribute in “Name”,“Title” & “Group Name” fields for which attackers can perform stored cross-site scripting.
1.Login to the application and go to profile.
2.Now in the “Name” input field paste the below payload and click on “SAVE”
<img src>
3.After that when you go to any other page then XSS will trigger.
https://huntr.dev/bounties/6fc958d2-ec3b-4319-ac4a-eccec03908bb/
https://huntr.dev/bounties/b9c50ca6-99d5-48d4-ba2c-f5c50179aa3a/
https://drive.google.com/file/d/1dL1OXVye1tFEQuTqJpdE_aSCPcE9uj0S/view?usp=sharing
https://drive.google.com/file/d/1hK8W0u1Jjz424O44X_nEVrrU_CVReTT9/view?usp=sharing
https://drive.google.com/file/d/15kuPCDYI9nrFm1WXB0FFBQzkLU5XtrIy/view?usp=sharing