clientResponse Client Management XSS Vulnerability

ID 1337DAY-ID-22874
Type zdt
Reporter Halil Dalabasmaz
Modified 2014-11-15T00:00:00


clientResponse gives each client their own account that provides a Dashboard for them to monitor their projects, upload/download & comment on documents and files related to their projects, make project payments, and communicate with you. clientResponse makes it easier to take a phased approach to projects by organizing documents and communications with each of your clients.

                                            ===Stored XSS===
The message system of script is not secure. You can run XSS payloads on "Subject" and "Message" inputs. If you use "Subject" input for attack and send the message to admin when admin login the system it will be directly affect by vulnerability. Also profile section inputs are vulnerable. 
Sample Payload for Stored XSS: "><script>alert(document.cookie);</script>

# [2018-03-01]  #