An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Entities List" feature.
Proof of Concept
Step 1: Go to "/index.php?module=entities/entities", click "Add New Entity" and insert payload "<img src=1 onerror='alert(document.coookie)'/>" in Name field.
Step 2: Alert XSS Message
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
The text was updated successfully, but these errors were encountered:
anhdq201
changed the title
Store Cross Site Scripting Vulnerability on "Entities List" in rukovoditel 3.2.1
Stored Cross Site Scripting Vulnerability on "Entities List" in rukovoditel 3.2.1
Oct 9, 2022
Version: 3.2.1
Description
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Entities List" feature.
Proof of Concept
Step 1: Go to "/index.php?module=entities/entities", click "Add New Entity" and insert payload "
<img src=1 onerror='alert(document.coookie)'/>" in Name field.Step 2: Alert XSS Message
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
The text was updated successfully, but these errors were encountered: