Cross-site Scripting (XSS) - Stored in patrowl/patrowlmanager

Valid

Reported on

Dec 8th 2021


Description

PatrOwl is vulnerable to stored XSS in asset group name. The payload will be triggered when someone try to delete the asset group.

Proof of Concept

https://drive.google.com/file/d/1F7m9g7s6xp-L5Q_Ky5ACOvndWAj8g20s/view?usp=sharing

Impact

This vulnerability permit to an authenticate user to execute JavaScript on other users Web Browser.

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. a year ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back a year ago
patrowl/patrowlmanager maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer
a year ago

Maintainer


Hi there ! Thank you for the report ! We fix it ASAP

patrowl/patrowlmanager maintainer marked this as fixed in 1.7.6 with commit 8526f8 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
patrowl/patrowlmanager maintainer
a year ago

Maintainer


Fix has been released ! Could please have a quick check on changes ? Thanks !

M0rphling
a year ago

Researcher


Hi there, I pulled the latest code from master branch and still can see payload executed there.

https://drive.google.com/file/d/1udcYmCKArJk7acwYdO2sOzmhX3fXUhTx/view?usp=sharing

M0rphling
a year ago

Researcher


Hi thre, sorry after rebuilding the docker images, the XSS is gone. I confirm that this issue has been fixed.

patrowl/patrowlmanager maintainer
a year ago

Maintainer


Great :D

to join this conversation