Share
## https://sploitus.com/exploit?id=8A836B6C-0793-5AAA-827F-A97613AEE7D4
# CVE-2025-70368
# Stored Cross-Site Scripting (XSS) in Project Updates Feature

  
    
      
        
      
    
    
      Worklenz
      All in one project management tool for efficient teams 
    
  
  
  


## ๐Ÿ“œ Description
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.

## ๐Ÿ” Affected Versions

| Status       | Version         |
|--------------|-----------------|
| ๐Ÿ”ด Vulnerable |   `2.1.5`      | 

## ๐Ÿ› ๏ธ Steps to Reproduce

#### 1๏ธโƒฃ Navigate to Projects --> "Project Name" --> Updates

#### 2๏ธโƒฃ Enter the following payload:

```html

```


#### 3๏ธโƒฃ Navigate to Reporting --> Projects

#### 4๏ธโƒฃ The stored payload is rendered, and the alert executes:



## โš ๏ธ Disclaimer
This project is intended for **educational and ethical research purposes only**. Unauthorized testing on systems without explicit permission is illegal. Use responsibly and only on systems you own or have permission to test.

## ๐Ÿง‘โ€๐Ÿ’ป Discovery

This vulnerability was discovered by **Alex Perrakis** (Stolichnayer).

## ๐Ÿ”— References:
- [Worklenzs Github Repository](https://github.com/Worklenz/worklenz)