Dom xss leads to account takeover in octoprint/octoprint
Reported on
Apr 19th 2022
Description
The endpoint of login allows Javascript payload to execute which leads to XSS pop-up
Proof of Concept
Send this link to admin http://127.0.0.1:2222/login/?redirect=javascript:alert(document.cookie)
When he will open it and try to login XSS will popup.
Image POC
https://drive.google.com/file/d/1VoO0BHUE03o0iOo8B9WFRvC1zRrFN4-T/view?usp=sharing
Impact
Attacker able to capture admin cookie and can takeover his account.
I have downgraded the severity to high. A scope change is not possible here, and a successful attack requires knowledge about the target system and preparation (you need not only get network access to a normally LAN only application but then also need to figure out who is an admin or has an account there for targeting with a prepared link that will then give you access to credentials via the vulnerability) and is the complexity therefore cannot be classified as "low" either.
Apart from that, thank you for finding this, because this is definitely a serious issue that needs fixing ASAP.
A fix has been prepared and will be rolled out with 1.8.0, which is planned to be released next week.
