Description

The whole project is using “vtlib_purify” for the sanitization of user inputs. It does a good job while stripping HTML tags like <script> <svg> etc. However, it allows <a> tag and we can use javascript protocol on the href attribute via changing : character to :.
So, our final payload is <a href>click

Proof of Concept

For example, the file “NewReport0” is using “vtlib_purify” for the “reportmodule” parameter and prints the user’s input after sanitization.
We can get the XSS using the payload above.

https://demo.corebos.com/index.php?module=Reports&action=ReportsAjax&file=NewReport0&reportmodule=%3Ca+href=javascript%26colon;alert(document.domain)%3ECLICK%20ME

We can also get stored XSS in comments. Check the https://demo.corebos.com/index.php?module=Accounts&action=DetailView&record=87 , you will see a comment created by me that includes XSS.