This one is on notes via change of status.
Steps to reproduce:
1) Create a Task
2) In the dashboard click on the Status of the task in order to edit its status
3) Set its status to anything but closed or canceled and make the note be: <img src=x onerror=alert(0)>
(Make sure everyone can access this note)
4) When you open the note XSS payload will get executed
This one is via the file name in task notes.
Another one:
1) Create a task
2) On your computer create a file called <img src=x onerror=alert(0)>.log
3) In the task click on add new record
4) Click on "Select Files" and upload the file <img src=x onerror=alert(0)>.log
5) Save it
6) When anyone opens the task the XSS payload will get executed
Thank you!
