Badaso version 2.9.7 has XSS vulnerability in add ranks

·

1 min read

Vendor Homepage:

Badaso - Open Collective

Version:

2.9.7

Tested On:

Marcos, review source code

Affected Page:

https://badaso-demo.uatech.co.id/dashboard/general/books/add

https://badaso-demo.uatech.co.id/dashboard/general/books/1/edit

Description:

A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more

Proof of Concept:

  1. Login and Access to function add racks.

  2. Inject payload XSS alert 1 to rank Book Groups.

     "' test <img src="" onerror="alert(1)">
    

    image

  3. image

    Go to books and add a new book or go to edit books then malicious is executed.

    image