*SUBMISSION REFERENCES* * *Submission code*: XWIKI-PST6B4ZK * *Submission URL*: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-PST6B4ZK
*RESEARCHER INFORMATION* * *Submitter*: ynoof
*SUBMISSION INFORMATION* * *Created at*: Fri, 04 Nov 2022 14:36:49 GMT * *Submission status*: Closed Archived
*REPORT CONTENT* * *Severity*: High * *Domain*: https://intigriti.xwiki.com/ (Url) * *Proof of concept*: Hello,
Stored XSS at user profile via `about` text area.
### Steps to reproduce 1. Go to user profile 2. Add the following payload in the `about` text area.
``` {{html}} '"<!--><Details Open OnToggle=confirm("Ynoof/Was/Here")> {{/html}} ```
Click on source before saving.
### POC {186066}
Thanks, Ynoof * *Impact*: An attacker can execute any js code on the victim's browser. * *Personal data involved*: No * *Endpoint*: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/ynsec3 * *Type*: Stored Cross-Site Scripting * *Attachments*: poc.png
|
|