Summary
Un-sanitized input when creating milestone attachments allows end users to inject javascript payloads into the milestone title variable of the milestone object. The stored XSS payload can be triggered if the milestone is a part of a goal and when the user attempts to edit that goal (see video example).
PoC
YouTube Link: https://youtu.be/n95p1SMP-_A
Impact
Malicious JavaScript can be stored and executed on the client side which can lead to attackers stealing of credentials stored on the browser.
ernestang98 Reporter
Summary
Un-sanitized input when creating milestone attachments allows end users to inject javascript payloads into the milestone title variable of the milestone object. The stored XSS payload can be triggered if the milestone is a part of a goal and when the user attempts to edit that goal (see video example).
PoC
YouTube Link: https://youtu.be/n95p1SMP-_A
Impact
Malicious JavaScript can be stored and executed on the client side which can lead to attackers stealing of credentials stored on the browser.