An authenticated malicious user can take advantage of a Stored XSS vulnerability in "Add announcement" function in the "Help System" feature.
Proof of Concept
Step 1: Go to "/index.php?module=help_pages/pages&entities_id=24", click "Add announcement" and insert payload "<img src=1 onerror='alert(document.cookie)'/>" in "Title" field.
Step 2: Alert XSS Message
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
The text was updated successfully, but these errors were encountered:
anhdq201
changed the title
Stored Cross Site Scripting Vulnerability on "Help system" in rukovoditel 3.2.1
Stored Cross Site Scripting Vulnerability on "Help system" in "Add announcement" function in rukovoditel 3.2.1
Nov 2, 2022
Version: 3.2.1
Description
An authenticated malicious user can take advantage of a Stored XSS vulnerability in "Add announcement" function in the "Help System" feature.
Proof of Concept
Step 1: Go to "/index.php?module=help_pages/pages&entities_id=24", click "Add announcement" and insert payload "
<img src=1 onerror='alert(document.cookie)'/>" in "Title" field.Step 2: Alert XSS Message
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
The text was updated successfully, but these errors were encountered: