Stored XSS in "campaigns" in knadh/listmonk

Valid

Reported on

Apr 30th 2022


Description

The listmonk application is vulnerable to stored XSS in the "Name" input filed for "campaigns" for which when a user tried to delete the "campaigns" XSS gets triggered.

Proof of Concept

1.Go to "Campaigns" -> "All campaigns" -> "New"

2.Put this payload: <img src=1 onerror=alert(document.domain)> in the "Name" input field and fill other details and click on Continue.

3.After that go to "All campaigns" you will see the payload in one of the name sections try to delete it then XSS will trigger.

Video POC

https://drive.google.com/file/d/1jDXMrAyFu-Blh71MKDRZv2Ps_ePHQsRs/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the knadh/listmonk team within 24 hours. 24 days ago
Kailash Nadh modified the Severity from Critical to Low 23 days ago
We have contacted a member of the knadh/listmonk team and are waiting to hear back 23 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Kailash Nadh validated this vulnerability 22 days ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kailash Nadh confirmed that a fix has been merged on a94f23 22 days ago
The fix bounty has been dropped
SAMPRIT DAS
22 days ago

Researcher


@knadh @admin Can you register CVE for this report?

Jamie Slome
22 days ago

Admin


It does not appear that the severity of the issue is significant enough to warrant a CVE, as mentioned by the maintainer on GitHub.

SAMPRIT DAS
22 days ago

Researcher


Ok admin

to join this conversation