We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Reflected XSS via "stufftype" parameter in tsolucio/corebos

Valid

Reported on

Aug 22nd 2022

Description

The value for the stufftype parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code.

Testing Environment

  1. Windows OS
  2. Firefox Browser

Proof of Concept

  1. Visit https://demo.corebos.com/index.php?module=Home&action=HomeAjax&file=NewBlock&stuffid=test;&stufftype=%22%20onmouseover=%22alert(1)%22%20test=%22
  2. Hover over the Refresh icon displayed in the page to execute the payload.

Impact

The attacks commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
Joe Bordes validated this vulnerability a year ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes marked this as fixed in 8.0 with commit e41c4f a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation