Administrative functions display success banners after multiple actions that reflect user-input directly without sanitization.
🕵️♂️ Proof of Concept
Member-status Creation and Update
- Directory Admin - Member Statuses - Create New Member Status
Code: Enter a string,
Label: Enter an XSS Payload, eg.
<img src=x onerror="alert('xss')" />
- Save the configuration. These will create a new member-status and will display a success notification in a green banner.
- The payload will execute since user input is not sanitized before calling those functions.
Tag Creation and Update
- Directory Admin - Tags - Create New Tag
- Enter an XSS Payload, eg.
<img src=x onerror="alert('tag-xss')" />
- Hit Save. Same behaviour as the above.
User Creation and Update
- Directory Admin - Create User - Create New User
- Enter an XSS Payload in the
name field, eg.
<img src=x onerror="alert('user-xss-name')"/>
- Fill in the rest of the user's details as intended. Hit Save. Same behaviour as above.
Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side.
Testing was performed on a local deployment.