r0ck3t1973 / xss_payload Goto Github PK

Describe the bug
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Smileys" feature.

To Reproduce
Steps to reproduce the behavior:

1. Login into the Admin panel
2. Go to 'codoforum/admin/index.php?page=ui/smileys'
3. Click smileys
4. Choese smileys >> Click Edit
5. Insert Payload 'Smiley Code':
   '><details/open/ontoggle=confirm(1337)>
6. Click Save
7. Go to Page 'codoforum/admin/index.php?page=ui/smileys'
8. XSS Alert Message
   Expected behavior
   The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page

Screenshots

1. Chose smiley
   
2. insert payload
   
3. xss alert mess
   

Desktop (please complete the following information):

OS: Windows
Browser: All
Version

Describe the bug
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "connections" feature.

To Reproduce
Steps to reproduce the behavior:

1, Login into the panel
2. Go to '/access/setup?type=conn'
3. Change connections
4. Insert Payload:
'><details/open/ontoggle=confirm(1337)>
5. XSS Alert Message
Expected behavior
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page

Screenshots

1. Info WebPort-v1.19.17121
   
2. Insert payload
   
3. xss alert mess
   

Desktop (please complete the following information):

OS: Windows
Browser Chorme
Version: Version 83.0.4103.106

Hi, I found stored xss in Categories.
To Reproduce

1. Login into the panel
2. Go to Documents: 'tiki-21.4/tiki-index.php'
3. Click Categories: '/tiki-21.4/tiki-browse_categories.php'
4. Create category
5. insert payload bypass xss:
   <a href="javascript&colon;alert&lpar;1337&rpar;">Click2</a>
6. Click Categories >> Click2 >> Boom alert message xss!

Impact
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
POC

Describe the bug
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Pages" feature.

To Reproduce
Steps to reproduce the behavior:

1. Login into the Admin panel
2. Go to 'codoforum/admin/index.php?page=pages/pages'
3. Click Add Page
4. Insert Payload in 'Page Title':
   '><details/open/ontoggle=confirm(document.domain)>
5. Click Save
6. Go to Page 'codoforum/admin/index.php?page=pages/pages'
7. XSS Alert Message

Expected behavior
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page

Screenshots

1. Add Pages
   

2. Xss Message
   

Desktop (please complete the following information):

OS: Windows
Browser: All
Version

Hi Team,
I found stored xss in Calendar
To Reproduce

1. Login into panel
2. Go to Documents: '/tiki-21.4/tiki-index.php'
3. Click Calendar: '/tiki-21.4/tiki-calendar.php'
4. Click Add Event
5. insert payload bypass xss in Description
   <a href="javascript&colon;alert&lpar;document&period;domain&rpar;">Click Here</a>
6. Click Details Event >> ClickHere>> Boom alert message xss!

Impact
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
POC

/Describe the bug/
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Edit Menu" feature.

To Reproduce
/Steps to reproduce the behavior/:

1, Login into the panel
2. Go to '/Mara/codebase/menuedit.php'
3. Insert Payload:
"><script>alert(document.domain)</script>Hello world!
4. Click Test: Alert XSS Message
5. Save and go to Admin Panel
6. Alert XSS Message

/Expected behavior/
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page

/Screenshots/

1. go to '/Mara/codebase/menuedit.php'
   
2. Insert Payload
   
3. Click Test: Alert XSS Message
   
4. Save and go to Admin Panel
5. Alert XSS Message
   

/Desktop (please complete the following information):/
OS: Windows
Browser: All

I Hope you fix it ASAP

Describe the bug
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Manage Users" feature.

To Reproduce
Steps to reproduce the behavior:

1. Login into the Admin panel
2. Go to 'codoforum/admin/index.php?page=users/manage'
3. Click Edit Username
   Insert Payload
   ">< img src=xx onerror= alert(document.domain) >
4. Click Save
5. XSS Alert Message

Expected behavior
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page

Screenshots

1. Edit Username
   
2. Xss alert mess
   

Desktop (please complete the following information):

OS: Windows
Browser: All
Version