Hi Team, I have found a stored cross-site scripting vulnerability in the Create event section.

Description

What is stored cross site scripting attack?

Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums, blog comments, user profiles and username fields. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload. The victim visits the page and the payload is executed client side by the victims web browser.

Proof of Concept

https://drive.google.com/drive/folders/1GIiKnWjbPWHzbgwSPwRmWS1QN-THd6S0?usp=sharing

var payload = "><script>alert(document.cookie)</script>

Steps to reproduce:

1 . Login as user other than admin user.
2 . Navigate to Configuration -> Events -> Event filters.
3 . Create a new event.
4 . In "free search" input field put the payload and rest of the details in the form and click on create button.
5 . Now, login with admin user and navigate to Configuration -> Events -> Event filters.
6 . Now click on the event you created as a other user.
7 . Payload gets executed.

Impact

1 . Perform any action within the application that the user can perform.
2 . View any information that the user is able to view.
3 . Modify any information that the user is able to modify.
4 . Session hijacking as the JavaScript code can easily access session cookie since the httpOnly flag is set to false.

Mitigation:

1 . Implement security headers such as X-XSS-Protection, CSP for added layer of protection.
2 . Proper input validation and sanitization should be performed.
3 . Proper output encoding should be performed.