Html Injection in Groups in alfio-event/alf.io

Valid

Reported on

Dec 7th 2022

Description

Insert XSS payload in groups fields(Name, Description)

Proof of Concept

  1. login to the dashboard

  2. navigate to groups

  3. insert Name and Description

aaaaa<h1 onclick=alert(1)>test

POC:

https://drive.google.com/file/d/1ZsxN-zKoyuiosrgfG8a9Z1sF_e9mde-8/view?usp=sharing

https://drive.google.com/file/d/1_cn3nBwlBAID_hedS43RTIIz_j42_4zo/view?usp=sharing

Impact

Phishing or Response Manipulation

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 4 months ago
Sylvain Jermini validated this vulnerability 3 months ago

hi @reza.duty you are right, the html should not be interpreted in the notification widget.

A fix is pending.

To be noted, Content-Security-Policy is blocking the js code =).

Thank you for reporting it, we appreciate it.

reza.duty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
reza.duty
3 months ago

Researcher

Thanks, Can you please request for cve

Celestino Bellone marked this as fixed in 2.0-M4-2301 with commit c1ae54 2 months ago
Celestino Bellone has been awarded the fix bounty
This vulnerability has been assigned a CVE
Celestino Bellone published this vulnerability 2 months ago
to join this conversation