❗Reflected XSS - Future Goals

Reflected XSS (authenticated)

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to:

Description

The application is vulnerable to multiple instances of stored (persistent) XSS in the Future Goals functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages.

Affected Endpoints and Parameters:

Input (create/update goal): Vulnerable fields:

• Goal Name

• Goal Notes (name field)

• Action Step Name

• Notes Name

Reflected when viewing/printing goals: GET /viewgoals.php?printview=1&type=future Vulnerable fields:

• Goal Name

• Goal Description

• Action Step Description

Exploitation

• Inject malicious javascript into any of the following input fields for future goals.

  • Goal Name

  • Goal Description

  • Action Steps Name

  • Action Steps Description

  • Note Name

• Send the crafted URL to a victim via phishing, social engineering, or any other attack vector.

• When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization.

• The victim’s browser renders the injected payload in the error message, allowing arbitrary script execution within the victim's browser.

Example 1: XSS in Updating/Creating Future Goals

• Any of the highlighted fields are vulnerable to XSS between the Update/Creation

• Successful XSS exploitation

Example 2: XSS in View/Print of Future Goals

• Any of the highlighted fields are vulnerable to XSS in the View/Print URL

• Successful XSS exploitation