Stored XSS project

[testdzdz]

Hello, i have found bug : Stored XSS on Milestones PM - Project and Task Management (project)

Steps

1- install the Application Milestones PM - Project and Task Management 2- go to (Projects) https://eu6.salesforce.com/a0C/o 3- create a new Projects like :https://eu6.salesforce.com/a0C580000008NOm (test) 4-on the Project like:(a0C580000008NOm) add new Milestones https://eu6.salesforce.com/a0B/e?CF00N58000005iDpI=test insert on the Project Milestone Name <img src="c" onerror=alert(document.cookie)> save it 5- open the project https://eu6.salesforce.com/a0C580000008NOm you will get XSS popup alert

PoC video: https://www.dropbox.com/s/2tu6cqh8ivib52m/xssM.mp4?dl=0

i have reported it to salesforce team Thanks

[jerryreid]

Fyi, this security issue was fixed in Milestones PM+. Milestones PM has not recently passed security review, but PM+ has.

On Jun 22, 2016 2:12 AM, "samir-dz" notifications@github.com wrote:

Hello, i have found bug : Stored XSS on Milestones PM - Project and Task Management (project)

Steps

1- install the Application Milestones PM - Project and Task Management 2- go to (Projects) https://eu6.salesforce.com/a0C/o 3- create a new Projects like :https://eu6.salesforce.com/a0C580000008NOm (test) 4-on the Project like:(a0C580000008NOm) add new Milestones https://eu6.salesforce.com/a0B/e?CF00N58000005iDpI=test insert on the Project Milestone Name http://c save it 5- open the project https://eu6.salesforce.com/a0C580000008NOm you will get XSS popup alert

PoC video: https://www.dropbox.com/s/2tu6cqh8ivib52m/xssM.mp4?dl=0

i have reported it to salesforce team Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ForceDotComLabs/Milestones-PM/issues/134, or mute the thread https://github.com/notifications/unsubscribe/AAwzFK9THfaOLIP6bRCzUZoxpAtt7Sigks5qONJpgaJpZM4I7cBX .