Cross-site Scripting (XSS) - Stored in combodo/itop

Valid

Reported on

Jun 30th 2021

💥 BUG

stored xss via file upload

💥 STEP TO REPRODUCE

here in this case i uploaded a html file with xss payload inside.
Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1xKqYFgrsFUfp9Ufe4XiATQcAL-Q6Mr9G/view?usp=sharing

💥 Impact

I see there is many different type of role base user . So, user who has permission to upload document can make xss attack against higher level user or admin

ranjit-git modified the report

2 years ago

Z-Old

commented 2 years ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 2 years ago

A combodo/itop maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

A combodo/itop maintainer

commented 2 years ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

Pierre Goiffon marked this as fixed in 2.7.6 with commit 92a9a8 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Pierre Goiffon

commented 2 years ago

Maintainer

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

ranjit-git

commented 2 years ago

Researcher

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation

ranjit-git modified the report

2 years ago

Z-Old

commented 2 years ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 2 years ago

A combodo/itop maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

A combodo/itop maintainer

commented 2 years ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

Pierre Goiffon marked this as fixed in 2.7.6 with commit 92a9a8 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Pierre Goiffon

commented 2 years ago

Maintainer

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

ranjit-git

commented 2 years ago

Researcher

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation