File Name XSS on Devo.com

  • Reported to Devo
  • Reported by Haqtify
  • Medium (5)
  • $500
  • Published 5 months ago
  • No Likes

URL:

https://app-es-pre.devo.com

Description:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Payload:

https://drive.google.com/file/d/1q1zkAOOrogkRb_hdQdetzQLS6tEKomsZ/view?usp=sharing

Steps To Reproduce:

1.Login Account and Goto Data Upload.

2. Now click on Local files and Upload file with XSS Payload title (Attached).

3 Click Upload > fill Parsing form > Confirm Setting > Confirm and Send > XSS executed.

POC:

DEVO POLICY:

https://www.devo.com/responsible-vulnerability-disclosure-program/