Vulnerability Serious

Open on Drupal.org →

Created on 28 January 2023, almost 2 years ago

Updated 13 March 2023, over 1 year ago

Hello team! Found XSS active on your site!
With its help, you can knock down the entire site.engagebay.com
For example:
1. Admin creates a project
2. Invites a user to the project with the rights to invite other users
3. Log in from this user with invitation rights and send
4. intercept the request with Charles
5. Edit the request and specify in the picture_url request:

we update the page and get the XSS stored and the project can no longer be launched! And so, the conclusion. The user can put the entire project to the administrator in a couple of minutes)
Are you paying for vulnerabilities? It is very serious. In addition, it is possible to steal the project administrator's COOKIE.

🐛 Bug report

Status

Closed: cannot reproduce

Version

1.0

Component

Code

Created by

🇺🇦Ukraine fireve

Live updates comments and jobs are added and updated live.

xss bug bounty

Sign in to follow issues

Comments & Activities

Issue created by @fireve
Comment almost 2 years ago →
🇺🇦Ukraine fireve
Comment almost 2 years ago →
🇺🇸United States engagebay
Could you please let us know which file are you discussing? We don't think we have any administrator cookies in the browser for EngageBay.
Comment almost 2 years ago →
🇺🇦Ukraine fireve
Good day!
Do you have a user cookie? So, I can steal this COOKIE with this XSS
If you add me to your project, I will steal your COOKIE and the project will not work until I remove this code that I added. This 100% needs to be fixed. Please check this vulnerability
Status changed to Closed: cannot reproduce over 1 year ago10:01am 13 March 2023
Comment over 1 year ago →
🇺🇸United States engagebay

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024