Tasked PHP Task Management Multiple Stored XSS Injection

2019.04.16
ru QUIXSS (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

PoC: Go to the demo website http://byluminary.com/envato_demos/Tasked/login.php and register your new account with payload inside «First Name» and/or «Last Name» fields (keep in mind that mail activation is enabled, to use any temp mail service for tests). Activate your account and log in using your credentials, then go to http://byluminary.com/envato_demos/Tasked/index.php?page=profile to launch your payload(s). More vulnerable fields: http://byluminary.com/envato_demos/Tasked/index.php?page=categories - create new category with desired payload inside «Name» and/or «Description» field(s); http://byluminary.com/envato_demos/Tasked/index.php?page=openTasks and http://byluminary.com/envato_demos/Tasked/index.php?page=calendar - same stuff like categories.

References:

https://codecanyon.net/item/tasked-php-task-management/9372768


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top