[ANGULAR] Cross-Site Scripting (XSS) vulnerability

Post by **braincept** » Fri Sep 18, 2020 3:44 pm

Hello

I just got a bug report from a whitehat hacker regarding the Bryntum scheduler. XSS can be used to steal session cookies and other user information, perform advanced phishing techniques and other browser attacks.

Steps to reproduce:

Create or edit an appointment in the calendar.
Set the title of the appointment to this XSS payload:

"><img src=x onerror=prompt("XSS_Vulnerability")>

Once saved it should trigger the XSS. It can also be triggered when you hover on the event itself due to the pop-up information of the appointment

Is this a know issue?

Post by **pmiklashevich** » Fri Sep 18, 2020 4:02 pm

Thanks for the report! Ticket here: https://github.com/bryntum/support/issues/1541

Post by **braincept** » Fri Sep 18, 2020 4:24 pm

Hi Pavel

Thanks for creating a ticket. This bug was discovered by Judy Magleo <bugbounty@judymagleo.com>. In case you have a bug bounty program, please contact her. I will forward the information about the bug to her too.

Thanks!

Support Forum

[ANGULAR] Cross-Site Scripting (XSS) vulnerability