Stored and Reflected XSS in pdf-express.org Website
- Vendor: IEEE
- Product: pdf-express.org Website
- Affected Version: –
- Severity: medium
- Short summary: Reflected and Stored XSS possible in pdf-express.org website.
There is no proper input validation check for the text entered in the fields in the login page of the https://www.pdf-express.org/ website. This results to a reflected XSS attack (OWASP Link)). As an example, if an attacker fills out the following:
Conference ID: "><script>alert("XSS")</script>
Email Address: firstname.lastname@example.org
You will get a pop-up showing „XSS“. More concrete attacks are described here.
If I create a new account and create a password containing
"><script>alert("XSS")</script> for example, the XSS is persistent.
There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation
- 2017-02-03 Vulnerability Discovered
- 2017-02-06 Barbara contacted me and sent me a link to Dropbox to upload the report
- 2017-05-08 Vulnerability is not fixed, vendor needs more time
- 2018-08-01 Published