Hi,
I am a security researcher, testing open source applications for security issues. Below are few security bugs that i discovered in your software. There are more security bugs then listed below. Please let me know if you are interested in a report with all the bugs.
Please find video POC for XSS 1 and XSS 2 here -> https://drive.google.com/open?id=0ByiaSatXlvD_Zmt4R1V1V1BpU1E
XSS 1 (Tasks - Title)
Steps to recreate:
1. Home->Tasks->add new
2. Enter title as "MYTITLE" and fill required details but don't click save
3. Start interceptor and intercept request
4. click save
5. Now replace MYTITLE with "<i onclick=alert(1)>alertme</i>"(without quotes)
6. Home->click on alertme
XSS 2 (Tasks - Description)
Steps to recreate:
1. Create a new task and fill description as "MYDESC" but don't click on save
2. Start intercepting request and then click save on browser
3. Now replace MYDESC with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 3 (Tasks/Phonecall - Notes - Title)
Steps to recreate:
1. Home->Tasks/PhoneCall->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in notes section
XSS 4 (Tasks - Alerts - Title)
Steps to recreate:
1. Home->Tasks->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in alerts section
XSS 5 (Phonecalls - Subject)
Steps to recreate:
1. Create a new phonecall and fill subject as "MYSUB" but don't click on save
2. Start intercepting request and then click save on browser
3. Now replace MYSUB with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 6 (Phonecalls - Description)
Same as XSS 5
