Taskhub 2.8.8 Cross Site Scripting

## Title: TASKHUB-2.8.8-XSS-Reflected## Author: nu11secur1ty## Date: 09/22/2023## Vendor: https://codecanyon.net/user/infinitietech## Software: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the JSON parameter within the project parameter is copiedinto the HTML document as plain text between tags. The payloadvn5mr<img src=a onerror=alert(1)>i62kl was submitted in the JSONparameter within the project parameter. This input was echoedunmodified in the application's response. The already authenticated(by using a USER ACCOUNT)attacker can get a CSRF token and cookiesession it depends on the scenarios.STATUS: HIGH Vulnerability[+]Test exploit:```surw7%3Cscript%3Ealert(1)%3C%2fscript%3E```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/infinitietech/TASKHUB-2.8.8)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/taskhub-288-xss-reflected.html)## Time spent:01:10:00