Cross-site Scripting (XSS) - Generic in utmsigep/member-directory


Reported on

May 15th 2021

✍️ Description

Non-administrative functions display success banners after multiple actions that reflect user-input directly without sanitization.

🕵️‍♂️ Proof of Concept

Donation Creation and Update

  • Donations - New Donation
  • Enter XSS payloads into the fields Last Name, First Name and Receipt ID, eg. <img src=x onerror="alert('LName')" /> , <img src=x onerror="alert('FName')" /> , <img src=x onerror="alert('RId')" />
  • Hit Save. This will create a new donation and display a green success banner. The payload will execute since user input is not sanitized before calling the banner display function(s).

Member Creation and Update

  • Select a member-status/group - New Member
  • The fields last name, first name and external id do not get sanitized when passed to the banner display function(s).

💥 Impact

Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side.

Testing was performed on a local deployment.

to join this conversation