Stored XSS on Blog that utilized HTML Editor form

Steps to Reproduce:
1. Log in with any client account and navigate to "https://lavalite.org/client/job/job" to see the job created by the user.

<img width="960" alt="Image" src="https://github.com/user-attachments/assets/9ff02564-27e2-4550-9cea-4c33ece773fd" />

2. There will be at least 3 HTML Editor form such as Skills, Descriptions, and Responsibilities. For this demonstration, a field "Responsibilities" will be utilized.

<img width="960" alt="Image" src="https://github.com/user-attachments/assets/7909abb1-8fda-4da5-a5c1-08df705c0bcd" />

3. Capture the request and modify the value of the "Responsibilities" to include XSS payload.

<img width="960" alt="Image" src="https://github.com/user-attachments/assets/4eca624e-85dd-4bad-9084-ab1cfbe9986d" />

4. Then, view the job and get JavaScript execution.

<img width="960" alt="Image" src="https://github.com/user-attachments/assets/d770c25c-69d5-4cf3-82ce-2b401f2f17b6" />

Note that you can visit my job post (https://lavalite.org/job/test-2) to experience the XSS.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Stored XSS on Blog that utilized HTML Editor form #422

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Stored XSS on Blog that utilized HTML Editor form #422

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions