|Publication||27 – January – 2021||CVSS Score||5.4|
|Credits||Luis Daniel Hernández Guadarrama | WeHackMX||CVE||CVE-2021-3338|
In the following screenshot we can see a proof of concept (PoC). First, we must select “Añadir una lista” option.
The application avoids adding the <script> string, however it is possible to bypass the filtering by using variations, as shown in the following screenshot, we add in the variable “description” the code <body onafterprint=alert(‘WeHackMx’)>.
Finally, when the web page is refreshed the script code is executed, displaying a message box as part of the proof of concept.