A Tale of Reflected XSS to Stored which ultimately resulted into a CVE

Hi guys, this is my first blog. So please excuse for any mistakes encountered.

I usually (cough: I meant rarely) hunt for bugs on Hackerone but unfortunately end up getting duplicates or no bug at all.

This time, while doing my pentest research, I ended upon a project management software called Nifty-PM.

As any normal tester would begin, I tried entering XSS scripts in every input field and looked for their response rendered in the browser.

I came upon the task module, where I realized application was trimming ‘<script>’ & ‘</script>’ and allowed only “alert(12);” to get submitted.

Hmm, okay so the application makes use of whitelisted characters.

I tried using payload ‘<svg/onload=alert(document.cookie)>’ which surprisingly gave an alert but didn't get saved in the tasks. (Reflected XSS)

So, this time I tried encoding my payload to its HTML equivalent.

&lt;svg/onload&equals;alert(document.cookie)&gt;

And BOOM! it rendered, gave an alert and got saved in tasks.

The vulnerability is now patched.

CVE ID: CVE-2020–25071

Key Takeaway: Many times applications encode/decode our scripts, hence our normal script wouldn't work at those times. Further encoding it may give you an alert.

Please do show some love if you liked it. I’ll be coming with more such short blogs in future.

Cheers!