Cross-site Scripting (XSS) - Stored in aimeos/aimeos-core

Valid
Reported on Jul 4th 2021

✍️ Description

Integrated online shop based on Laravel 6 LTS and the Aimeos e-commerce framework this webapp is vulnerabel for stored xss thru filename

🕵️‍♂️ Proof of Concept

poc

💥 Impact

This vulnerability is capable stored XSS

Aimeos
20 days ago

Maintainer


Please prove how an account take over will be possible without viewing the file in a new tab. Otherwise, severity of this issue is very low as it would require additional social engineering and user interaction.

Abdul muhaimin
20 days ago

Researcher


sorry I was mistaken , you were right this bugs are of lower impact, it can be only of higher impacts when combined with some social engineering and user interactions as you have mentioned, I will contact the hunter maintainers to reduce the severity of these bugs

Abdul muhaimin
20 days ago

Researcher


Regards Muhaimin

Abdul muhaimin
20 days ago

Researcher


@aimeos also we can use this link globaly so its a stored one :

https://admin.demo.aimeos.org/preview/2/7/276517e4_1443527806.svg

Abdul muhaimin
20 days ago

Researcher


no privilages required

Abdul muhaimin modified their report
20 days ago
Aimeos
20 days ago

Maintainer


The file is stored at the server but nothing will ever happen if anyone doesn't get a link and open it directly. Then, you need social engineering again.

We are thinking about using a SVG sanitizing library in the future: https://github.com/darylldoyle/svg-sanitizer

Abdul muhaimin
20 days ago

Researcher


hey,

Yes the solution is fine, I think now you can validate the bug now

regards muhaimin

Aimeos
20 days ago

Maintainer


Sure, as soon as the severity of the report is decreased to reasonable value for the issue.

Abdul muhaimin
19 days ago

Researcher


The severity points has been decreased has you mentioned is it resonable now?

For this too

https://www.huntr.dev/bounties/1625429205812-aimeos/aimeos-laravel/

Thanks

Aimeos
19 days ago

Maintainer


The severity seems to be OK now.

Aimeos validated this vulnerability 19 days ago
Abdul muhaimin has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Aimeos
19 days ago

Maintainer


The repository is wrong too and must be https://github.com/aimeos/aimeos-core

Jamie Slome
19 days ago

Admin


I have updated the repository and bounty amounts for this disclosure. Thanks!

Aimeos confirmed that a fix has been merged on 1d72b7 19 days ago
Aimeos has been awarded the fix bounty
$6.25