Reflected XSS in Laundry 2.3.0 (CVE-2023-28842) Leads to Account Takeover

Critical Vulnerability Information Vulnerability Overview Name: XSS in Laundry allows to perform an Account Takeover Severity: Medium (5.1) Discoverer: Carlos Bello Timeline: - Vulnerability discovered: June 14, 2023 - Vendor acknowledged: June 26, 2023 - Public disclosure: July 2, 2023 Vulnerability Details Full Name: XSS in Laundry 2.3.0 allows to perform an account takeover Code Name: wabacuaca Status: Public Release Date: July 2, 2023 Affected Product: Laundry Affected Version: Version 2.3.0 Vulnerability Type: Reflected cross-site scripting (XSS) Remotely Exploitable: Yes CVSS v4.0 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS v4.0 Base Score: 5.1 Exploit Available: Yes CVE ID: CVE-2023-28842 Description Laundry version 2.3.0 allows account takeover. This is possible because the application is vulnerable to XSS attacks. Vulnerability A cross-site scripting (XSS) vulnerability has been identified in Laundry. This allows account takeover by any user accessing a malicious link. Exploit Proof Screenshots are provided as proof of exploitation. Security Policy We have reserved the ID CVE-2023-28842 to reference this issue. System Information Version: Laundry 2.3.0 Operating System: MacOS Mitigation No patch is currently available for this vulnerability. Acknowledgments This vulnerability was discovered by Carlos Bello from the Fluid Attacks Offensive Team. References Vendor page: https://github.com/mohitktrai/Laundry

Goal Reached Thanks to every supporter — we hit 100%!

Reflected XSS in Laundry 2.3.0 (CVE-2023-28842) Leads to Account Takeover