Stored XSS project

[testdzdz]

Hello,
i have found bug : Stored XSS on Milestones PM - Project and Task Management (project)

Steps

1- install the Application Milestones PM - Project and Task Management
2- go to (Projects) https://eu6.salesforce.com/a0C/o
3- create a new Projects like :https://eu6.salesforce.com/a0C580000008NOm (test)
4-on the Project like:(a0C580000008NOm) add new Milestones
https://eu6.salesforce.com/a0B/e?CF00N58000005iDpI=test
insert on the Project Milestone Name <img src="c" onerror=alert(document.cookie)>
save it
5- open the project https://eu6.salesforce.com/a0C580000008NOm
you will get XSS popup alert

PoC video: https://www.dropbox.com/s/2tu6cqh8ivib52m/xssM.mp4?dl=0

i have reported it to salesforce team
Thanks

[jerryreid]

Fyi, this security issue was fixed in Milestones PM+. Milestones PM has not
recently passed security review, but PM+ has.

On Jun 22, 2016 2:12 AM, "samir-dz" [email protected] wrote:

Hello,
i have found bug : Stored XSS on Milestones PM - Project and Task
Management (project)

Steps

1- install the Application Milestones PM - Project and Task Management
2- go to (Projects) https://eu6.salesforce.com/a0C/o
3- create a new Projects like :https://eu6.salesforce.com/a0C580000008NOm
(test)
4-on the Project like:(a0C580000008NOm) add new Milestones
https://eu6.salesforce.com/a0B/e?CF00N58000005iDpI=test
insert on the Project Milestone Name http://c
save it
5- open the project https://eu6.salesforce.com/a0C580000008NOm
you will get XSS popup alert

PoC video: https://www.dropbox.com/s/2tu6cqh8ivib52m/xssM.mp4?dl=0

i have reported it to salesforce team
Thanks

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#134, or mute
the thread
https://github.com/notifications/unsubscribe/AAwzFK9THfaOLIP6bRCzUZoxpAtt7Sigks5qONJpgaJpZM4I7cBX
.