Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-63cr-xg3f-8jvr: Leantime allows Stored Cross-Site Scripting (XSS)

Summary

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Details

A Stored Cross-Site Scripting (XSS) vulnerability was found that could potentially compromise user data and pose a significant security risk to the platform.

PoC

  • Create a project
  • Navigate to project
  • Visit to the integration
  • Add malicious payload inside the webhook and save it.
  • Notice the alert dialogue indicating successful execution of the XSS payload.
'';!--" onfocus=alert(0) autofocus=""  onload=alert(3);="&{(alert(1))}" |="" mufazmi"="

'';!--" onfocus=alert(0) autofocus=""  onload=alert(3);=>>"&{(alert(1))}" |="">> mufazmi"=">>

POC

https://youtu.be/kqKFgsOqstg

Impact

This XSS vulnerability allows an attacker to execute malicious scripts in the context of a victim’s browser when they click on a specially crafted link. This could lead to various malicious activities, including session hijacking, stealing sensitive information such as cookies or login credentials, and potentially compromising the entire platform’s security.

ghsa
Open in Source
#xss#vulnerability#web

Summary

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Details

A Stored Cross-Site Scripting (XSS) vulnerability was found that could potentially compromise user data and pose a significant security risk to the platform.

PoC

  • Create a project

  • Navigate to project

  • Visit to the integration

  • Add malicious payload inside the webhook and save it.

  • Notice the alert dialogue indicating successful execution of the XSS payload.

    '’;!–" onfocus=alert(0) autofocus="" onload=alert(3);="&{(alert(1))}" |="" mufazmi"="

'';!--" onfocus=alert(0) autofocus=""  onload=alert(3);=>>"&{(alert(1))}" |="">> mufazmi"=">>

POC

https://youtu.be/kqKFgsOqstg

Impact

This XSS vulnerability allows an attacker to execute malicious scripts in the context of a victim’s browser when they click on a specially crafted link. This could lead to various malicious activities, including session hijacking, stealing sensitive information such as cookies or login credentials, and potentially compromising the entire platform’s security.

References

  • GHSA-63cr-xg3f-8jvr
  • https://youtu.be/kqKFgsOqstg

ghsa: Latest News

GHSA-744g-7qm9-hjh9: The TYPO3 CMS Backend has Broken Authentication in Backend MFA
ghsa