By UwUQueen
16 Jan 2025 00:05
Category: Other

Image upload title section https://3dspaint.com/my/images.php accepts '"' which allows an attacker to place JavaScript into the input field for editing the title of an image displayed in upload section. such an attack could be done by submitting the form from a different website pointed to the file upload file.

- Quotes should be sanitized
- A token, similar to what is used by logout should be used in the form upload submission to ensure the uploaded content is genuinely from the account holder instead of an attacker.

XSS Sample accepted by input as title:" alert(123);

Resolved: Yes
Other High 1 hr

By @UwUQueen
24 Feb 2025 14:58

This has been fixed. Thank you

By @HullBreach
24 Feb 2025 14:54

Is this resolved now?

By @UwUQueen
16 Jan 2025 00:12

Same issues as issue here

By @UwUQueen
16 Jan 2025 00:09

XSS Sample accepted by input as title:" onclick="alert(123);

@UwUQueen marked this request as resolved.
24 Feb 2025 14:58

@UwUQueen left a reply.
24 Feb 2025 14:58

@HullBreach left a reply.
24 Feb 2025 14:54

@HullBreach claimed ownership of this request.
27 Jan 2025 03:18

@HullBreach changed the hour estimate from 0.
27 Jan 2025 03:18

@UwUQueen left a reply.
16 Jan 2025 00:12

@UwUQueen left a reply.
16 Jan 2025 00:09

@UwUQueen set the priority.
16 Jan 2025 00:06

@UwUQueen created this request.
16 Jan 2025 00:05