As Cross-Site Scripting is one of my most loved imperfections I frequently test in web application and the greater part of the circumstances I got my outcome. Same issue I have recently found in Inflectra with the assistance of one of my companions.
Most of the time Cross-Site Scripting vulnerabilities exist in Forms, Search Results, Support and Forms fields. I have likewise established the Stored XSS in the Support Help Center of Inflectra.
Vulnerable Url: https://www.inflectra.com/Support/Forum/List.aspx
User Agent: Mozilla / Chrome / Safari / Android
Bug Type: Stored XSS (Cross-Site Scripting)
Fix: Modify your input validation.
Date: 6th Feb - 17
Current Status: Patched
Steps To Produce:
- Goto https://www.inflectra.com/Support/Forums.aspx
- In the Forms, field selects any Category and after that select any problem/question.
- Click on the Reply Button on that question and here select Insert Table option.
- Insert XSS (Cross-Site Scripting) Payload in every single table field as appeared in the picture. Then click Insert Table. Payload "><img src=# onerror=alert('XSS') /> You'll see the popup executes and the page is powerless against XSS.
At that point as I Inserted Table the code is executed and a popup shows up.
As I got the outcomes I reported this Security blemish to them they answered me in five working days and began attempting to resolve this issue.
They settled this issue in fifteen days and offered me to mention my name in their web site security Hall of Fame page.
I accepted their offer and in five more days I was on their Hall of Fame page.
Much Obliged for taking your valuable time. Much Obliged Inflectra for acknowledgement. (: