<h3 id="heading-vendor-homepage"><strong>Vendor Homepage:</strong></h3>
<p><a target="_blank" href="https://zenar.io/">Zenario</a></p>
<h3 id="heading-version"><strong>Version:</strong></h3>
<p>Zenario 9.4</p>
<h3 id="heading-tested-on"><strong>Tested On:</strong></h3>
<p>Marcos, review source code</p>
<h3 id="heading-description"><strong>Description:</strong></h3>
<p>A vulnerability XSS injection was found in Zenario 9.4. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more.</p>
<h3 id="heading-proof-of-concept"><strong>Proof of Concept:</strong></h3>
<ol>
<li>Login to account <a target="_blank" href="https://demo.zenar.io/admin">https://demo.zenar.io/admin</a></li>
</ol>
<p><img src="https://user-images.githubusercontent.com/132877337/256102652-3e4a1af5-ddd6-46db-825b-0f3a67cd6c35.png" alt="image" /></p>
<ol>
<li><p>In the tab menu click on event and create a new event</p>
<p> <img src="https://user-images.githubusercontent.com/132877337/256103272-11a07a44-259f-4645-ae74-db82cf283ca8.png" alt="image" /></p>
</li>
<li><p>Inject payload to Menu navigation text, choice menu note menu (simple choice account ), and save the event</p>
<pre><code class="lang-plaintext">   "' &lt;img src="{{7*7}} onerror="alert(1)"&gt;\
</code></pre>
<p> <img src="https://user-images.githubusercontent.com/132877337/256104738-2b899c51-c71e-4a14-8907-408abdfb5302.png" alt="image" /></p>
</li>
<li><p>Go to Menu navigation and click on account. Move the mouse to the event then the payload is executed.</p>
<p> <img src="https://user-images.githubusercontent.com/132877337/256106808-e4836e3a-cb94-433a-b0f6-29bbe159421a.png" alt="image" /></p>
</li>
</ol>


### **Vendor Homepage:**

[Zenario](https://zenar.io/)

### **Version:**

Zenario 9.4

### **Tested On:**

Marcos, review source code

### **Description:**

A vulnerability XSS injection was found in Zenario 9.4. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more.

### **Proof of Concept:**

1. Login to account [https://demo.zenar.io/admin](https://demo.zenar.io/admin)
    

![image](https://user-images.githubusercontent.com/132877337/256102652-3e4a1af5-ddd6-46db-825b-0f3a67cd6c35.png align="left")

1. In the tab menu click on event and create a new event
    
    ![image](https://user-images.githubusercontent.com/132877337/256103272-11a07a44-259f-4645-ae74-db82cf283ca8.png align="left")
    
2. Inject payload to Menu navigation text, choice menu note menu (simple choice account ), and save the event
    
    ```plaintext
      "' <img src="{{7*7}} onerror="alert(1)">\
    ```
    
    ![image](https://user-images.githubusercontent.com/132877337/256104738-2b899c51-c71e-4a14-8907-408abdfb5302.png align="left")
    
3. Go to Menu navigation and click on account. Move the mouse to the event then the payload is executed.
    
    ![image](https://user-images.githubusercontent.com/132877337/256106808-e4836e3a-cb94-433a-b0f6-29bbe159421a.png align="left")

A stored cross-site scripting (XSS) vulnerability in the Create the function of Zenario CMS v9.4

Vendor Homepage:

Version:

Tested On:

Description:

Proof of Concept: