Summary
All text fields on the webpage are vulnerable to XSS attacks. The user input isn't (fully) sanitized after submission.
Details
Tried exploits:
" classs="first-name" type="text" placeholder="Vorname"><script>console.log('Hello World')</script><input value="
If you click on the "Neue Person" button, the script tag gets in the HTML, the code inside of it gets never executed, so you only can only break the site, without the possibility to execute any code.
<script>console.log('Hello World')</script>
If you print the document, the field is empty, but no code gets executed
;
If you export it to a CSV-file you can add an arbitrary number of fields.
\n
Did nothing, was included in the CSV as \n and did not cause a new line.
PoC
Impact
I was only able to render the site unresponsive or break the design. Possibly everything a XSS can do, but I was not able to run any code.
quirinziessler Reporter
Summary
All text fields on the webpage are vulnerable to XSS attacks. The user input isn't (fully) sanitized after submission.
Details
Tried exploits:
" classs="first-name" type="text" placeholder="Vorname"><script>console.log('Hello World')</script><input value="If you click on the "Neue Person" button, the script tag gets in the HTML, the code inside of it gets never executed, so you only can only break the site, without the possibility to execute any code.
<script>console.log('Hello World')</script>If you print the document, the field is empty, but no code gets executed
;If you export it to a CSV-file you can add an arbitrary number of fields.
\nDid nothing, was included in the CSV as \n and did not cause a new line.
PoC
Impact
I was only able to render the site unresponsive or break the design. Possibly everything a XSS can do, but I was not able to run any code.