Cross-site Scripting (XSS) - Stored in aimeos/aimeos-core

Valid

Reported on

Jul 4th 2021


✍️ Description

Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename

🕵️‍♂️ Proof of Concept

💥 Impact

This vulnerability is capable stored XSS

Aimeos
a year ago

Maintainer


Please prove how an account take over will be possible without viewing the file in a new tab. Otherwise, severity of this issue is very low as it would require additional social engineering and user interaction.

Abdul muhaimin
a year ago

Researcher


sorry I was mistaken , you were right this bugs are of lower impact, it can be only of higher impacts when combined with some social engineering and user interactions as you have mentioned, I will contact the hunter maintainers to reduce the severity of these bugs

Abdul muhaimin
a year ago

Researcher


Regards Muhaimin

Abdul muhaimin
a year ago

Researcher


@aimeos also we can use this link globaly so its a stored one :

https://admin.demo.aimeos.org/preview/2/7/276517e4_1443527806.svg

Abdul muhaimin
a year ago

Researcher


no privilages required

Abdul muhaimin modified the report
a year ago
Aimeos
a year ago

Maintainer


The file is stored at the server but nothing will ever happen if anyone doesn't get a link and open it directly. Then, you need social engineering again.

We are thinking about using a SVG sanitizing library in the future: https://github.com/darylldoyle/svg-sanitizer

Abdul muhaimin
a year ago

Researcher


hey,

Yes the solution is fine, I think now you can validate the bug now

regards muhaimin

Aimeos
a year ago

Maintainer


Sure, as soon as the severity of the report is decreased to reasonable value for the issue.

Abdul muhaimin
a year ago

Researcher


The severity points has been decreased has you mentioned is it resonable now?

For this too

https://www.huntr.dev/bounties/1625429205812-aimeos/aimeos-laravel/

Thanks

Aimeos
a year ago

Maintainer


The severity seems to be OK now.

Aimeos validated this vulnerability a year ago
Abdul muhaimin has been awarded the disclosure bounty
The fix bounty is now up for grabs
Aimeos
a year ago

Maintainer


The repository is wrong too and must be https://github.com/aimeos/aimeos-core

Jamie Slome
a year ago

Admin


I have updated the repository and bounty amounts for this disclosure. Thanks!

Aimeos marked this as fixed with commit 1d72b7 a year ago
Aimeos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation