Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager

Valid

Reported on

Dec 8th 2021


Description

PatrOwl is vulnerable to stored XSS in asset group name. The payload will be triggered when someone try to delete the asset group.

Proof of Concept

https://drive.google.com/file/d/1F7m9g7s6xp-L5Q_Ky5ACOvndWAj8g20s/view?usp=sharing

Impact

This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser.

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 months ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 months ago
patrowl/patrowlmanager maintainer validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer
2 months ago

Maintainer


Hi there ! Thank you for the report ! We fix it ASAP

patrowl/patrowlmanager maintainer confirmed that a fix has been merged on 8526f8 2 months ago
The fix bounty has been dropped
patrowl/patrowlmanager maintainer
2 months ago

Maintainer


Fix has been released ! Could please have a quick check on changes ? Thanks !

M0rphling
2 months ago

Researcher


Hi there, I pulled the latest code from master branch and still can see payload executed there.

https://drive.google.com/file/d/1udcYmCKArJk7acwYdO2sOzmhX3fXUhTx/view?usp=sharing

M0rphling
2 months ago

Researcher


Hi thre, sorry after rebuilding the docker images, the XSS is gone. I confirm that this issue has been fixed.

patrowl/patrowlmanager maintainer
2 months ago

Maintainer


Great :D