Please log in to bookmark issues
#2885 – 
Bug report
Click to toggle a vote for this issue
0 + 0
Time tracking started at Paused

Users with the privilege to create a new issue can store malicious code in the database or any other persistent media, by entering JavaScript code in the “Description” and “Environment” fields located at the “New Bug”, “Improvement Request”, “Task” and “Feature Request” forms. The inserted code will be executed every time the data is retrieved by another user.

How to reproduce

Steps to Reproduce Exploit:

  1. Click on the “New Issue” option.
  2. Click on any option, in this case, click on the “Bug” option.
  3. In the “DESCRIPTION” field, type the following script: Bug"><img src=a onerror=alert(1)>Testing.
  4. In the “ENVIRONMENT” field, type the following script: <img src=”x” onerror=alert(“PXSS2”)>.
  5. Fill out the other fields with any value and click on the “File issue” button.
  6. Once the issue is created, go to the section where all the issues are displayed; as you can see, the script is executed.
  7. Then look for the created issue and open it.
  8. Finally, the other injected script is executed, proving that XSS can be stored in the application’s database.
Expand, collaborate and share
Post a comment and get things done
Important details
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Times and dates
  • Estimated time No time estimated
People involved
Other details
  • Not determined