[*] :: Title: WORKSUITE - Project Management System v2.4.7 Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-04-27
[*] :: Software: WORKSUITE - Project Management System v2.4.7
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «WORKSUITE - Project Management System». Current version of this web-application is 2.4.7.
[?] :: Demo Website:
# Backend: https://demo.worksuite.biz/login
# Login/Password (admin): firstname.lastname@example.org/123456
[!] :: Special Note:
# Author of this web-application was warned about bad security measures. Nothing has changed.
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Stored XSS Injection]:
# Authorize on the demo website for tests, then go to any page with a text field, f.e. https://demo.worksuite.biz/admin/task/all-tasks/54/edit
# On the «Title» input field use payload like <img src="x" onerror="alert('QUIXSS')">, save the data and then you'll see that XSS filter is not triggered and your payload is successfully injected.
# Almost each input field is vulnerable for Stored XSS Injection.
# Sample payload: <img src="x" onerror="alert('QUIXSS')">