<h3 id="heading-vendor-homepage"><strong>Vendor Homepage:</strong></h3>
<p><a target="_blank" href="https://opencollective.com/badaso"><strong>Badaso - Open Collective</strong></a></p>
<h3 id="heading-version"><strong>Version:</strong></h3>
<p>2.9.7</p>
<h3 id="heading-tested-on"><strong>Tested On:</strong></h3>
<p>Marcos, review source code</p>
<h3 id="heading-affected-page"><strong>Affected Page:</strong></h3>
<p><a target="_blank" href="https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add">https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add</a></p>
<p><a target="_blank" href="https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit">https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit</a></p>
<h3 id="heading-description"><strong>Description:</strong></h3>
<p>A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more</p>
<h3 id="heading-proof-of-concept"><strong>Proof of Concept:</strong></h3>
<ol>
<li><h4 id="heading-login-and-access-to-function-add-books">Login and Access to function add Books.</h4>
<p> <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1693211719203/c8c21d8a-756e-471a-b57f-76e608dfe4e2.png" alt class="image--center mx-auto" /></p>
</li>
<li><h4 id="heading-inject-payload-xss-alert-1-to-the-title-of-book-parameter-and-submit-it">Inject payload XSS alert 1 to the Title of book parameter and submit it.</h4>
<pre><code class="lang-plaintext">  "' test &lt;img src="" onerror="alert(5)"&gt;
</code></pre>
<p> <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1693211908643/423f2f06-1dfa-45d4-85d8-1ae08db93b8a.png" alt class="image--center mx-auto" /></p>
<p> <img src="https://user-images.githubusercontent.com/132877337/252546173-acf14463-d665-4572-9cd0-288ff21357d4.png" alt="image" /></p>
</li>
<li><p>Go to Borrowing and add a new Borrowing or edit Borrowing then malicious is executed.</p>
<p> <img src="https://user-images.githubusercontent.com/132877337/252546130-ef6f72ab-cb2e-4a3a-a692-5c8440eeabc5.png" alt="image" /></p>
</li>
</ol>


### **Vendor Homepage:**

[**Badaso - Open Collective**](https://opencollective.com/badaso)

### **Version:**

2.9.7

### **Tested On:**

Marcos, review source code

### **Affected Page:**

[https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add](https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add)

[https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit](https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit)

### **Description:**

A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more

### **Proof of Concept:**

1. #### Login and Access to function add Books.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1693211719203/c8c21d8a-756e-471a-b57f-76e608dfe4e2.png align="center")
    
2. #### Inject payload XSS alert 1 to the Title of book parameter and submit it.
    
    ```plaintext
     "' test <img src="" onerror="alert(5)">
    ```
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1693211908643/423f2f06-1dfa-45d4-85d8-1ae08db93b8a.png align="center")
    
    ![image](https://user-images.githubusercontent.com/132877337/252546173-acf14463-d665-4572-9cd0-288ff21357d4.png align="left")
    
3. Go to Borrowing and add a new Borrowing or edit Borrowing then malicious is executed.
    
    ![image](https://user-images.githubusercontent.com/132877337/252546130-ef6f72ab-cb2e-4a3a-a692-5c8440eeabc5.png align="left")

Badaso version 2.9.7 has an XSS vulnerability in add books

Vendor Homepage:

Version:

Tested On:

Affected Page:

Description:

Proof of Concept:

Login and Access to function add Books.

Inject payload XSS alert 1 to the Title of book parameter and submit it.