Submit #115718: Control iD RH iD v23.3.19.0 - Authenticated Stored Cross-Site Scripting in the "Name" field in the "/v2/#/add/department" function
| Title | Control iD RH iD v23.3.19.0 - Authenticated Stored Cross-Site Scripting in the "Name" field in the "/v2/#/add/department" function |
|---|---|
| Description | Control iD's RH iD product has a Cross-Site Scripiting vulnerability stored in the "Name" field in the "/v2/#/add/department" function and is triggered in the "/v2/#/list/department" endpoint. Product URL: https://www.controlid.com.br/relogio-de-ponto/rhid/ https://rhid.com.br/ This vulnerability is authenticated. Here is the PoC: Youtube link: https://youtu.be/4JOLhAuoizE Please do not share the PoC link. I am available to answer questions related to the vulnerability. |
| Source | ⚠️ https:/ |
| User | Stux (ID 40142) |
| Submission | 04/18/2023 16:42 (1 Year ago) |
| Moderation | 04/28/2023 19:06 (10 days later) |
| Accepted | Accepted |
| VulDB Entry | VDB-227718 |