Cross-site Scripting (XSS) - Generic in utmsigep/member-directory
May 15th 2021
Non-administrative functions display success banners after multiple actions that reflect user-input directly without sanitization.
🕵️♂️ Proof of Concept
Donation Creation and Update
- Donations - New Donation
- Enter XSS payloads into the fields
Receipt ID, eg.
<img src=x onerror="alert('LName')" />,
<img src=x onerror="alert('FName')" />,
<img src=x onerror="alert('RId')" />
- Hit Save. This will create a new donation and display a green success banner. The payload will execute since user input is not sanitized before calling the banner display function(s).
Member Creation and Update
- Select a member-status/group - New Member
- The fields
external iddo not get sanitized when passed to the banner display function(s).
Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side.
Testing was performed on a local deployment.
to join this conversation