From: firstname.lastname@example.org email@example.com On Behalf Of Jerry Lee
Sent: Tuesday, July 17, 2018 7:45 PM
Subject: [grouper-core] Reflected (GET request) cross-site scripting in New UI
Hi Grouper developer team,
This is Jerry from the University of Auckland, we would like to report a reflected (GET request) cross-site scripting vulnerability within Grouper's New UI.
This vulnerability exist in the following url parameter:
A proof of concept url that could trigger this xss vulnerability would look like this:
I've also attached a screenshot with the payload executed within client browser in this email, feel free to take a look if it would help resolving the issue. If you would like me to clarify anything in regards with above subject, please do not hesitate to contact me.
Jerry Lee | Information Security Analyst | University of Auckland
+64 9 373 7599 ext. 83763 - firstname.lastname@example.org - PGP ID:0267ADF6
PGP Fingerprint: F886 6E17 F107 0717 C10D 30C3 AA9D FCB5 0267 ADF6