The Online Time Tracking application from paydirtapp.com suffers from a persistent cross site scripting vulnerability.
18b433b693fcd82a50e6e2429514d31e634805f790d3d1ad87ec5e529f7c4c67
# Affected software: Online Time Tacking - URL: https://paydirtapp.com/
# Discovered by: Provensec
# Website: http://www.provensec.com
# Type of vulnerability: XSS Stored
# Description: Paydirt is time tracking and invoicing software made for
browser-based freelancers and small businesses. It keeps track of who
you're working for so that you don't have to.
Paydirt is currently integrated with Chrome and Firefox, and will prompt
you to track time based on the websites you're using and the emails you
write.
# Proof of concept:
1 Goto https://paydirtapp.com/clients
2 Add a new client with any xss payload example ("><img src=d
onmouseover=prompt(1);>)
3 Now goto https://paydirtapp.com/clients again and XSS Works
4 Add new client then goto https://paydirtapp.com/quotes create new
quote goto select client and XSS Works
Screenshot http://prntscr.com/4fe3zq