Advertisement






Taskhub 2.8.8 Cross Site Scripting

CVE Category Price Severity
CVE-2021-37689 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2023-09-24
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023090074

Below is a copy:

Taskhub 2.8.8 Cross Site Scripting
## Title: TASKHUB-2.8.8-XSS-Reflected
## Author: nu11secur1ty
## Date: 09/22/2023
## Vendor: https://codecanyon.net/user/infinitietech
## Software: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
## Reference: https://portswigger.net/web-security/cross-site-scripting


## Description:
The value of the JSON parameter within the project parameter is copied
into the HTML document as plain text between tags. The payload
vn5mr<img src=a onerror=alert(1)>i62kl was submitted in the JSON
parameter within the project parameter. This input was echoed
unmodified in the application's response. The already authenticated
(by using a USER ACCOUNT)attacker can get a CSRF token and cookie
session it depends on the scenarios.


STATUS: HIGH Vulnerability

[+]Test exploit:

```
surw7%3Cscript%3Ealert(1)%3C%2fscript%3E
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/infinitietech/TASKHUB-2.8.8)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/09/taskhub-288-xss-reflected.html)

## Time spent:
01:10:00


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.