Cross-site Scripting (XSS) - Generic in utmsigep/member-directory

Valid
Reported on May 15th 2021

✍️ Description

Administrative functions display success banners after multiple actions that reflect user-input directly without sanitization.

🕵️‍♂️ Proof of Concept

Member-status Creation and Update

  • Directory Admin - Member Statuses - Create New Member Status
  • Code: Enter a string, Label: Enter an XSS Payload, eg. <img src=x onerror="alert('xss')" />
  • Save the configuration. These will create a new member-status and will display a success notification in a green banner.
  • The payload will execute since user input is not sanitized before calling those functions.

Tag Creation and Update

  • Directory Admin - Tags - Create New Tag
  • Enter an XSS Payload, eg. <img src=x onerror="alert('tag-xss')" />
  • Hit Save. Same behaviour as the above.

User Creation and Update

  • Directory Admin - Create User - Create New User
  • Enter an XSS Payload in the name field, eg. <img src=x onerror="alert('user-xss-name')"/>
    • Fill in the rest of the user's details as intended. Hit Save. Same behaviour as above.

💥 Impact

Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side.

Testing was performed on a local deployment.