Cross-site Scripting (XSS) - Stored in changeweb/unifiedtransform

Valid

Reported on

May 18th 2021


✍️ Description

Stored Cross Site Scripting in the message/all.blade.php.

🕵️‍♂️ Proof of Concept

As a teacher, click on "My Courses" and then "message students". CKEditor hides the underlying <textarea> where we can add <script> tag or capture the request in a proxy like burpsuite and edit the HTTP POST request. adding payload

Select the student and submit the form. Now login as the student and check messages. JavaScript code will run successfully and alert box appears: poc

💥 Impact

This vulnerability can be used to gain access to student's account as well as admin's account as the view rendered by message/all.blade.php is accessible by admin also.

Hasib Mahmud
4 months ago

Maintainer


@admin sorry for late response. I didn't notice your email. Can you suggest any fix for this? Thanks.

Hasib Mahmud
4 months ago

Maintainer


@admin Fixed the issue in the latest commit. I have used https://github.com/stevebauman/purify. Thank you.

Hasib Mahmud validated this vulnerability 4 months ago
0xcrypto has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hasib Mahmud confirmed that a fix has been merged on 8d0641 4 months ago
Hasib Mahmud has been awarded the fix bounty