ONEST CRM 1.0 Cross Site Scripting

┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://onesttech.com/details/crm                                          ││  Vendor   : Onest Tech                                                                 ││  Software : ONEST CRM 1.0 - Customer Relationship Management System Software           ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS------------------------------------------------------------POST /admin/project/update/2 HTTP/2Content-Disposition: form-data; name="name"<script>alert(1)</script>------------------------------------------------------------POST parameter 'name' is vulnerable to XSS## Steps to Reproduce:1. Login (as Client) "Normal User"2. Go to [Project List] on this Path (https://website/admin/project)3. Select any Project Click on the ... then Select [Edit]4. Inject your [XSS Payload] in "Name"5. Scroll Down and Press [Update]6. XSS Will Fire on Client Browser5. When ADMIN Visit the [Project List] to Check the Projects on this Path (https://website/admin/project) in administration Panel6. XSS will Fire & Executed on his BrowserNote: the Path for [Client Users] and [ADMIN] on the website it looks the same on "/admin/"      but The Client User Panel is Limited & don't show all Administration MENU Options in the Administration Panel to manage the website[-] Done