# Reflected XSS - Current Goals ## Reflected XSS (authenticated) Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to: {% hint style="warning" %} `/index.php?mode=mGoalSetup&job=update&id=` {% endhint %} ### Description The application is vulnerable to multiple instances of stored (persistent) XSS in the Current Goals functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages. ## **Affected Endpoints and Parameters:** **Input (create/update goal):**\ Vulnerable fields: * Goal Name * Goal Notes (name field) * Action Step Name * Notes Name **Reflected when viewing/printing goals:**\ `GET /viewgoals.php?printview=1&type=current`\ Vulnerable fields: * Goal Name * Goal Description * Action Step Description {% hint style="danger" %} This vulnerability allows attackers to execute malicious scripts, alter the user's interface, and potentially redirect users to malicious sites. {% endhint %} *** ### Exploitation * Inject malicious javascript into any of the following input fields for current goals. * Goal Name * Goal Description * Action Steps Name * Action Steps Description * Note Name * **Send** the crafted URL to a victim via phishing, social engineering, or any other attack vector. * When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization. * **The victim’s browser renders the injected payload** in the error message, allowing arbitrary script execution within the victim's browser. ### Example 1 - XSS in Updating/Creating Current Goals * Any of the highlighted fields are vulnerable to XSS between the Update/Creation\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FFs0DTQqIuyiI72C4oHDm%2Fimage.png?alt=media\&token=3a98ded6-5b1e-4c95-a4d8-0ce8243dfde5)
* Action Steps injection\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2F0VNMLNV9so0GPwL7lJ39%2Fimage.png?alt=media\&token=ec93c936-c666-4609-b868-dadc7780ecc8) * Notes injection\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FToDMGb7Lz15hsbaa7WS2%2Fimage.png?alt=media\&token=c0899484-3a3b-4451-b510-53070e70c688) * Successful XSS exploitation\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FWTZs7vuzMRL5Mt2jSo3J%2Fimage.png?alt=media\&token=ce684042-ed07-4e12-9004-e3b54f35dd83) Example 2 - XSS in View/Print of Current Goals * Any of the highlighted fields are vulnerable to XSS in the View/Print URL\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2FrFJU3LacSknX7k5pPR4c%2Fimage.png?alt=media\&token=ceb6f4de-e8aa-40c6-8d29-5c864bc26f8f) * Successful XSS exploitation\ ![](https://2946459361-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGyD3p56S2Ma0Q756LEYJ%2Fuploads%2F7qvfQUpBblodQxESea5Z%2Fimage.png?alt=media\&token=af3d13c9-ce48-43c1-8376-35193daaa668)