Stored-xss is working

Disclosed by

Engagement Indeed
Disclosed date 6 May 2022 almost 3 years ago
Points 1
Priority P4 Bugcrowd's VRT priority rating
Status Resolved This vulnerability has been accepted and fixed

Summary by agnihackers123

hello @Indeed I found stored-cross site on the activity which allows an attacker to steal admin account cookies.

Impact

Users can execute JavaScript code in the context of other users. This is critical when targeted users have high privileges. Attackers are then able to grant themselves the administrator privileges and even takeover the ownership of the New Relic account.

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:

STEP TO REPRODUCE:-

1)open the url:- [site]
2)Then type the company name is "hello"
3)Then change hello to javascript is entered
4)next button > click
5)Then show the popup message .
6)next page is on then refresh the page cookie is working popup message is show.
7)This is stored XSS.

This vuln is stored-xss . Attacker targeted users have high privileges. The hacker selected the Cross-site Scripting (XSS) - Stored weakness.

-->>Even attacker can easily get the cookie.

Thanks.

Activity

Kyle_indeed Customer published the disclosure report
3 years ago(06 May 2022 07:56:19 UTC)
agnihackers123 updated the disclosure summary
5 years ago(18 Jun 2020 04:17:50 UTC)
agnihackers123 sent a message
5 years ago(18 Jun 2020 04:14:08 UTC)
Jarvis Customer changed the state to Resolved
5 years ago(17 Jun 2020 21:57:05 UTC)
cliff_bugcrowd sent a message
5 years ago(29 Jan 2020 05:18:14 UTC)
agnihackers123 sent a message
5 years ago(29 Jan 2020 04:05:35 UTC)
agnihackers123 sent a message
5 years ago(11 Jan 2020 07:39:54 UTC)
agnihackers123 sent a message
5 years ago(11 Jan 2020 07:24:58 UTC)
Scourge_BC marked the submission a duplicate of a previously submitted report
5 years ago(11 Jan 2020 01:40:41 UTC)
Scourge_BC changed the state to Unresolved
5 years ago(11 Jan 2020 01:40:41 UTC)
Scourge_BC updated VRT to Cross-Site Scripting (XSS) > Stored > Self
5 years ago(11 Jan 2020 01:40:40 UTC)
Scourge_BC rewarded agnihackers123 1 point
5 years ago(11 Jan 2020 01:40:40 UTC)
Scourge_BC sent a message
5 years ago(11 Jan 2020 01:40:31 UTC)
agnihackers123 sent a message
5 years ago(08 Jan 2020 10:33:50 UTC)
agnihackers123 updated the disclosure summary
5 years ago(08 Jan 2020 10:29:38 UTC)
agnihackers123 requested disclosure
5 years ago(08 Jan 2020 10:07:47 UTC)
a Crowdcontrol user sent a message
5 years ago(08 Jan 2020 10:00:30 UTC)
agnihackers123 created the submission
5 years ago(08 Jan 2020 10:00:30 UTC)