## https://sploitus.com/exploit?id=8A836B6C-0793-5AAA-827F-A97613AEE7D4
# CVE-2025-70368
# Stored Cross-Site Scripting (XSS) in Project Updates Feature
Worklenz
All in one project management tool for efficient teams
## ๐ Description
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.
## ๐ Affected Versions
| Status | Version |
|--------------|-----------------|
| ๐ด Vulnerable | `2.1.5` |
## ๐ ๏ธ Steps to Reproduce
#### 1๏ธโฃ Navigate to Projects --> "Project Name" --> Updates
#### 2๏ธโฃ Enter the following payload:
```html
```
#### 3๏ธโฃ Navigate to Reporting --> Projects
#### 4๏ธโฃ The stored payload is rendered, and the alert executes:
## โ ๏ธ Disclaimer
This project is intended for **educational and ethical research purposes only**. Unauthorized testing on systems without explicit permission is illegal. Use responsibly and only on systems you own or have permission to test.
## ๐งโ๐ป Discovery
This vulnerability was discovered by **Alex Perrakis** (Stolichnayer).
## ๐ References:
- [Worklenzs Github Repository](https://github.com/Worklenz/worklenz)