The plugin did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard
As admin, add a new Sheet and add the following payload in the "Title", "Details" and "Task" fields: <script>alert("Test")</script> The XSS will be trigger whenever an admin goes to the All Sheets page.
Ajay Sandipan Thorbole
Ajay Sandipan Thorbole
Yes
2021-06-21 (about 1 years ago)
2021-06-21 (about 1 years ago)
2021-06-25 (about 1 years ago)