1. Go to ESTIMATES tab in your dashboard.
2. Click on New Estimate
3. In the New Estimate, you will see "Add a new client" after the 'Client' field. Click on 'Add a new client'.
4. In the company name field, type the xss payload (<script>alert(document.cookie)</script>).
5. Fill in the other details like name and email with anything u like and click on "SAVE COMPANY".
6. Viola! you will see xss prompt.
Type that xss prompt there, and this will pop up.
I reported this vulnerability in bug crowd around 6 months back. Still I din't get any response. Hence disclosing it here. :)
0 comments:
Post a Comment
If you have any queries, I will be glad to help :) So comment here.