❗Reflected XSS - Current Goals

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II)

Reflected XSS (authenticated)

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to:

/index.php?mode=mGoalSetup&job=update&id=<goal_id>

Description

The application is vulnerable to multiple instances of stored (persistent) XSS in the Current Goals functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages.

Affected Endpoints and Parameters:

Input (create/update goal): Vulnerable fields:

Goal Name
Goal Notes (name field)
Action Step Name
Notes Name

Reflected when viewing/printing goals: GET /viewgoals.php?printview=1&type=current Vulnerable fields:

Goal Name
Goal Description
Action Step Description

This vulnerability allows attackers to execute malicious scripts, alter the user's interface, and potentially redirect users to malicious sites.

Exploitation

Inject malicious javascript into any of the following input fields for current goals.
- Goal Name
- Goal Description
- Action Steps Name
- Action Steps Description
- Note Name
Send the crafted URL to a victim via phishing, social engineering, or any other attack vector.
When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization.
The victim’s browser renders the injected payload in the error message, allowing arbitrary script execution within the victim's browser.