An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Form Configuration" feature.
Proof of Concept
Step 1: Go to "/index.php?module=entities/forms&entities_id=24", click "Add New Form Tab" and insert payload "<img src=1 onerror='alert(document.cookie)'/>" in "Name" field.
Step 2: Alert XSS Message
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
The text was updated successfully, but these errors were encountered:
anhdq201
changed the title
Stored Cross Site Scripting Vulnerability on "Form Configuration" in rukovoditel 3.2.1
Stored Cross Site Scripting Vulnerability on "Fields Configuration" in rukovoditel 3.2.1
Nov 2, 2022
anhdq201
changed the title
Stored Cross Site Scripting Vulnerability on "Fields Configuration" in rukovoditel 3.2.1
Stored Cross Site Scripting Vulnerability on "Form Configuration" in rukovoditel 3.2.1
Nov 2, 2022
Version: 3.2.1
Description
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Form Configuration" feature.
Proof of Concept
Step 1: Go to "/index.php?module=entities/forms&entities_id=24", click "Add New Form Tab" and insert payload "
<img src=1 onerror='alert(document.cookie)'/>" in "Name" field.Step 2: Alert XSS Message
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
The text was updated successfully, but these errors were encountered: