❗Reflected XSS - Future Goals

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II)

Reflected XSS (authenticated)

Performance Pro v3.19.17 and earlier is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities (Persistent/Type II) via POST requests to:

/index.php?mode=mGoalSetup&job=edit&type_id=2&id=<goal_id>

Description

The application is vulnerable to multiple instances of stored (persistent) XSS in the Future Goals functionality. Malicious input provided by an authenticated user is stored server-side and later rendered into the DOM without proper encoding or sanitization. This allows execution of arbitrary JavaScript in the context of any user viewing the affected pages.

Affected Endpoints and Parameters:

Input (create/update goal): Vulnerable fields:

Goal Name
Goal Notes (name field)
Action Step Name
Notes Name

Reflected when viewing/printing goals: GET /viewgoals.php?printview=1&type=future Vulnerable fields:

Goal Name
Goal Description
Action Step Description

Exploitation

Inject malicious javascript into any of the following input fields for future goals.
- Goal Name
- Goal Description
- Action Steps Name
- Action Steps Description
- Note Name
Send the crafted URL to a victim via phishing, social engineering, or any other attack vector.
When the victim navigates to the modified URL, the application reflects the malicious input directly into the browser without sufficient sanitization.
The victim’s browser renders the injected payload in the error message, allowing arbitrary script execution within the victim's browser.

Example 1: XSS in Updating/Creating Future Goals

Any of the highlighted fields are vulnerable to XSS between the Update/Creation
Successful XSS exploitation

Example 2: XSS in View/Print of Future Goals

Any of the highlighted fields are vulnerable to XSS in the View/Print URL
Successful XSS exploitation

Last updated 3 days ago