Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-server


Reported on

Jun 10th 2021


Stored xss bug using file upload against admin .




lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account .
Thus lower level user can execute arbitary javascript in admin account using this xss and can change his role .


1. First from admin goto http://localhost:18080/admin/system/user and add a new user called user B .
Now give this user crm permission so that user B can create Notes .

2. Now goto user B account and create a Notes . Now upload svg file to this notes.
So, now download link of uploaded file will be like http://localhost:18080/api/compose/namespace/234475729176375299/attachment/record/235004074443943939/original/evilsvgfile.svg?sign=ad604bd71d5f3b826318d56dba83b03dad0bb3b5&userID=234476336394022915&download=1 .
Here in this url remove the last parameter download=1 . So now file link will be like http://localhost:18080/api/compose/namespace/234475729176375299/attachment/record/235004074443943939/original/evilsvgfile.svg?sign=ad604bd71d5f3b826318d56dba83b03dad0bb3b5&userID=234476336394022915.
Open this link and see xsss is executed.
now sent this link to admin .

  1. Now when admin open this link then xss is executed under admin account .



ranjit-git modified the report
3 years ago
3 years ago

Hey @ranjit-git, I've just emailed the corteza-server maintainer and am waiting to hear back. Good job!

Tomaž Jerman
3 years ago

Hi, apologies for the delay. The issue is confirmed and the patch is prepared. @Ziding Zhang how can I approve the issue, but keep it private?

Jamie Slome
3 years ago

@Tomaz, once the report has been validated AND patched, it is made public. So if you mark it as valid, it will still remain private.

Tomaž Jerman validated this vulnerability 3 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tomaž Jerman marked this as fixed with commit af0563 3 years ago
The fix bounty has been dropped
3 years ago

Thanks Tomaž! Any reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks 🙏

to join this conversation