Tasked PHP Task Management Multiple Stored XSS Injection

2019.04.16

QUIXSS (RU)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

PoC: Go to the demo website http://byluminary.com/envato_demos/Tasked/login.php and register your new account with payload inside «First Name» and/or «Last Name» fields (keep in mind that mail activation is enabled, to use any temp mail service for tests). Activate your account and log in using your credentials, then go to http://byluminary.com/envato_demos/Tasked/index.php?page=profile to launch your payload(s).
More vulnerable fields:
http://byluminary.com/envato_demos/Tasked/index.php?page=categories - create new category with desired payload inside «Name» and/or «Description» field(s);
http://byluminary.com/envato_demos/Tasked/index.php?page=openTasks and http://byluminary.com/envato_demos/Tasked/index.php?page=calendar - same stuff like categories.

References:

https://codecanyon.net/item/tasked-php-task-management/9372768

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Tasked PHP Task Management Multiple Stored XSS Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.