Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Valid

Reported on

Nov 28th 2021


Description

coreBOS is vulnerable to Stored XSS via Entity Name in User Preferences.

Steps to reproduce

1.After login, click on the avatar icon on the top right corner to go to My Preferences
2.Click Edit button
3.In Last Name field, input payload <SvG/onLoad=confirm(document.cookie)> then click Save button
4.Now you will see that the payload has been filtered in the Last Name field. However, it is displayed in the Entity Name field.
5.To trigger XSS, click on the Entity Name field then click Save button under that field.
6.Reload the page or go to the homepage, you will see the XSS is triggered.

Proof of Concept

You can check my Poc here: PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a year ago
Joe Bordes validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed in 8.0 with commit 1dd461 a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
KhanhCM
a year ago

Researcher


Hi @maintainer,

Did you update the fix to the demo site? I have just tested again and the XSS vulnerability still exists.

to join this conversation