search

gcivil-nyu-org / fall24-monday-team4

1 stars 1 forks source link

XSS in the Report User Page #110

Open ZENG-Zhuo opened 2 days ago

ZENG-Zhuo commented 2 days ago

Description: XSS in found on the subject attribute in the report user page Details requested by TA are as below:

Account Used: Username: test1_user Password: 123123123.

Steps Followed: (a) Navigate to other user's profile and report Type in the follwowing as the subject:

<a href="javascript:alert('Hello')">GG</a>

(b) navigate to user report page as admin and view the report we can see a sucessful XSS inject to run arbitrary code. image

Page URL: https://routepals-dev-env.us-west-2.elasticbeanstalk.com/adminview/#reports

samaraaugust commented 2 days ago

Thank you for bring this to our attention!