CWE-79 - Reflected Cross Site scripting vulnerability at /InvisibleRecaptcha.php

## Hey, I'd like to request you to issue a CVE for this pull request.

## Summary
As I'm doing security research during my bug bounty activities I stumbled upon an issue with a client that uses invisible-recaptcha

specifically speaking, the issue is within the "ac" parameter

As I discovered the vulnerability during my BlackBox approach, I decided to report it in this repo and to see the white box root cause of the matter.

The url of my proof of concept looked like the following:

```
invisibleRecaptcha?sitekey=XXXXXX&lang=XX&label=XXX&ac=</script><a%20href=javascript:alert(document.domain)>hi</a>
```

The payload I used was to escape the javascript context that the input was injected into and insert my own Cross Site Scripting code.

![Screen Shot 2021-10-03 at 17 28 35](https://user-images.githubusercontent.com/35578316/135758276-d98f745f-a1b4-4746-8fe3-c85449beea03.png)





Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CWE-79 - Reflected Cross Site scripting vulnerability at /InvisibleRecaptcha.php #153

Hey, I'd like to request you to issue a CVE for this pull request.

Summary

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CWE-79 - Reflected Cross Site scripting vulnerability at /InvisibleRecaptcha.php #153

Description

Hey, I'd like to request you to issue a CVE for this pull request.

Summary

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions