Dom xss leads to account takeover in octoprint/octoprint

Valid

Reported on

Apr 19th 2022


Description

The endpoint of login allows Javascript payload to execute which leads to XSS pop-up

Proof of Concept

Send this link to admin http://127.0.0.1:2222/login/?redirect=javascript:alert(document.cookie)

When he will open it and try to login XSS will popup.

Image POC

https://drive.google.com/file/d/1VoO0BHUE03o0iOo8B9WFRvC1zRrFN4-T/view?usp=sharing

Impact

Attacker able to capture admin cookie and can takeover his account.

We are processing your report and will contact the octoprint team within 24 hours. a year ago
We have contacted a member of the octoprint team and are waiting to hear back a year ago
octoprint/octoprint maintainer has acknowledged this report a year ago
Gina Häußge modified the report
a year ago
Gina Häußge validated this vulnerability a year ago

I have downgraded the severity to high. A scope change is not possible here, and a successful attack requires knowledge about the target system and preparation (you need not only get network access to a normally LAN only application but then also need to figure out who is an admin or has an account there for targeting with a prepared link that will then give you access to credentials via the vulnerability) and is the complexity therefore cannot be classified as "low" either.

Apart from that, thank you for finding this, because this is definitely a serious issue that needs fixing ASAP.

Raj has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Gina Häußge
a year ago

Maintainer


CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

We have sent a fix follow up to the octoprint team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the octoprint team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the octoprint team. This report is now considered stale. a year ago
Gina Häußge
a year ago

Maintainer


A fix has been prepared and will be rolled out with 1.8.0, which is planned to be released next week.

Raj
a year ago

Researcher


No worries you can take your time @Maintainer

Gina Häußge marked this as fixed in 1.8.0 with commit 808752 a year ago
Gina Häußge has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation