Badaso version 2.9.7 has an XSS vulnerability in new member
Vendor Homepage:
Version:
2.9.7
Tested On:
Marcos, review source code
Affected Page:
https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add
https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit
https://badaso-demo.uatech.co.id/dashboard/general/members/1/edit
https://badaso-demo.uatech.co.id/dashboard/general/members/add
Description:
A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more
Proof of Concept:
Login and Access to function add new member or edit member.
Inject payload XSS alert 1 to the name of the member parameter and submit it.
"' test <img src="" onerror="alert(2)">
Go to Borrowing and add a new Borrowing or edit Borrowing then malicious is executed.