As Cross Site Scripting is one of my most loved imperfections I frequently test in web application and the greater part of the circumstances I got my outcome. Same issue I have recently founded in Inflectra with the assistance of one of my companion.
Most of the time Cross Site Scripting vulnerabilities exist in Forms, Search Results, Support and Forms fields. I have likewise established the Stored XSS in Support Help Center of Inflectra.
Vulnerable Url: https://www.inflectra.com/Support/Forum/List.aspx
User Agent: Mozilla / Chrome / Safari / Android
Bug Type: Stored XSS (Cross Site Scripting)
Fix: Modify your input validation.
Date: 6th Feb – 17
Current Status: Patched
Steps To Produce:
- Goto https://www.inflectra.com/Support/Forums.aspx
- In Forms field select any Category and after that select any problem/question.
- Click on the Reply Button on that question and here select Insert Table option.
- Insert XSS (Cross Site Scripting) Payload in every single table field as appeared in picture. Then click Insert Table. Payload
"><img src=# onerror=alert('XSS') />You’ll see the popup executes and the page is powerless against XSS.
At that point as I Inserted Table the code is executed and popup shows up.
As I got the outcomes I report this Security blemish to them they answered me in five working days and began attempting to resolve this issue.
They settled this issue in fifteen days and offer me to mention my name in their web site security Hall of Fame page.
I accepted their offer and in five more days I was on their Hall of Fame page.
Much Obliged for taking your valuable time. Much Obliged Inflectra for acknowledgement. (: