messenger icon indicating copy to clipboard operation
messenger copied to clipboard
verified publisher icon totaljs

[Security] Stored XSS in private task

Open edoardottt opened this issue 2 years ago • 0 comments

Tested version: latest

Steps to reproduce the vulnerability:

  • Login in the application.
  • Click on Add a Private task.
  • Set "<script>alert(document.domain)</script> as task description and save.
  • XSS will fire whenever task is reflected in page.

Screenshot from 2023-03-25 16-28-53

edoardottt avatar Mar 25 '23 15:03 edoardottt