Advisory by Netsparker
Name: Multiple Vulnerabilities in Platformus 1.0.0-alpha21
Affected Software: Platformus
Affected Versions: 1.0.0-alpha21
Vulnerability: Stored XSS
Severity: High
Status: Fixed
CVE-ID: 2018-14487
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Netsparker Advisory Reference: NS-18-012

Technical Details

Stored XSS

URL: http://{platformus_url}/backend/cultures/create
Parameter Name: code
Parameter Type: POST
Attack Pattern: "><script>alert(1)</script>

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

Advisory Timeline

29th September 2017 - First Contact
1st October 2017 - Technical Details Reported
11th December 2018 - Attempted to Contact 
17th January 2018 - Attempted to Contact 
26th October 2018 - Advisory Released

Credits & Authors

These issues have been discovered by Mustafa Yalçın while testing Netsparker Web Application Security Scanner.

About Netsparker

Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Enterprise. Visit our website for more information.