Hello
I just got a bug report from a whitehat hacker regarding the Bryntum scheduler. XSS can be used to steal session cookies and other user information, perform advanced phishing techniques and other browser attacks.
Steps to reproduce:
Create or edit an appointment in the calendar.
Set the title of the appointment to this XSS payload:
"><img src=x onerror=prompt("XSS_Vulnerability")>
- Once saved it should trigger the XSS. It can also be triggered when you hover on the event itself due to the pop-up information of the appointment
Is this a know issue?