Badaso version 2.9.7 has XSS vulnerability in add ranks
Vendor Homepage:
Version:
2.9.7
Tested On:
Marcos, review source code
Affected Page:
https://badaso-demo.uatech.co.id/dashboard/general/books/add
https://badaso-demo.uatech.co.id/dashboard/general/books/1/edit
Description:
A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more
Proof of Concept:
Login and Access to function add racks.
Inject payload XSS alert 1 to rank Book Groups.
"' test <img src="" onerror="alert(1)">
-
Go to books and add a new book or go to edit books then malicious is executed.