Description
Discovered Stored XSS in API key name while generating the API key.
Impact
Any low privileged user like manager, or editor, can create api key with XSS payload, when admin will visit the Company page, the XSS will automatically get triggerred leading to perform unauthorized action from the ADMIN account. like, removing any user, or adding someone else as high privilege, and many more.
mnqazi Reporter
Description
Discovered Stored XSS in API key name while generating the API key.
Impact
Any low privileged user like manager, or editor, can create api key with XSS payload, when admin will visit the Company page, the XSS will automatically get triggerred leading to perform unauthorized action from the ADMIN account. like, removing any user, or adding someone else as high privilege, and many more.