Cross-site Scripting (XSS) - Stored in causefx/organizr

Valid

Reported on

Sep 19th 2021


Description

When creating a new Tab, the name of the tab can store JavaScript. This also happens, when editing the name of an existing Tab.

  • I tested it with docker image for Organizr (hash 7fb764ccd226).
organizr/organizr   latest    7fb764ccd226   4 weeks ago    73.3MB
  • Branch is v2-master.

Proof of Concept

  • Create a new Tab and enter a name like
XSS Alert<script>alert(1);</script>
  • Add all other relevenat properties
  • Click on "Add Tab"

Impact

All people, who can edit a tab, can add a Cross-Site-Scripting in the Tab name. The Cross-Site-Scripting would run for all users, who can see this tab.

Occurrences

The function addTab adds the new tab, but does not escape characters.

        $array = $this->checkKeys($this->getTableColumnsFormatted('tabs'), $array);
// ...
        $response = [
            array(
                'function' => 'query',
                'query' => array(
                    'INSERT INTO [tabs]',
                    $array
                )
            ),
        ];
// ...
        return $this->processQueries($response);
We have contacted a member of the causefx/organizr team and are waiting to hear back 8 months ago
starkitsec modified the report
8 months ago
starkitsec modified the report
8 months ago
starkitsec modified the report
8 months ago
starkitsec modified the report
8 months ago
causefx validated this vulnerability 2 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
causefx confirmed that a fix has been merged on fd5315 2 months ago
causefx has been awarded the fix bounty
organizr.class.php#L5163 has been validated
to join this conversation