Headline
CVE-2023-38971: Badaso version 2.9.7 has XSS vulnerability in add ranks
Cross Site Scripting vulnerabiltiy in Badaso v.0.0.1 thru v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the rack number parameter in the add new rack function.
****Vendor Homepage:****
Badaso - Open Collective
****Version:****
2.9.7
****Tested On:****
Marcos, review source code
****Affected Page:****
https://badaso-demo.uatech.co.id/dashboard/general/books/add
https://badaso-demo.uatech.co.id/dashboard/general/books/1/edit
****Description:****
A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user’s browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more
****Proof of Concept:****
Login and Access to function add racks.
Inject payload XSS alert 1 to rank Book Groups.
"' test <img src="" onerror="alert(1)">Go to books and add a new book or go to edit books then malicious is executed.