By: Rivera Rivera user 13 Feb 2020 at 2:53 a.m. CST

0 Responses
Rivera Rivera gravatar
I have identified that it is possible to execute JavaScript code on Import People functionality. **STEPS TO REPRODUCE:** You have to create a file with the following filename: "><img src=x onerror=alert(1)>.xlsx When you try to upload this file, the alert will be executed. **HOW TO FIX:** Apply output encoding to filename parameter. **REFERENCES:** https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet