Reflected XSS in fava application in beancount/fava

Valid

Reported on

Jul 22nd 2022


Description

The "query_string" parameter of fava application is vulnerable to reflected XSS for which a attacker can modify any information that the user is able to modify.

Proof of Concept

1.Open the url: https://fava.pythonanywhere.com/example-with-budgets/query/?filter=payee%3A%22Chichipotle%22&query_string=%3Cimg+src%3D1+onerror%3Dalert%28document.location%29%3E

2.Now XSS will popup.

Image

https://drive.google.com/file/d/1N7XGqTg4J5rPdDzFQ4TgEtwE9v2LXDlL/view?usp=sharing

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

+Perform any action within the application that the user can perform.

+View any information that the user is able to view.

+Modify any information that the user is able to modify.

Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet or other message

We are processing your report and will contact the beancount/fava team within 24 hours. 21 days ago
We have contacted a member of the beancount/fava team and are waiting to hear back 20 days ago
beancount/fava maintainer modified the Severity from Critical (9.6) to High (8) 20 days ago
beancount/fava maintainer
20 days ago

Maintainer


Since Fava URLs are dependent on the name of the underlying Beancount journal and the base URLs, which should be private and require a previous attach to be determined by the attacker, I've marked the attack complexity as "high"

beancount/fava maintainer has acknowledged this report 20 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
beancount/fava maintainer validated this vulnerability 20 days ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
beancount/fava maintainer confirmed that a fix has been merged on dccfb6 20 days ago
The fix bounty has been dropped
beancount/fava maintainer gave praise 20 days ago
Thank you for the report :)
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
SAMPRIT DAS
20 days ago

Researcher


You are welcome :) @maintainer

SAMPRIT DAS
20 days ago

Researcher


@admin Can you please update the CVE description in nvd/mitre

Jamie Slome
18 days ago

Admin


We are currently waiting for MITRE to accept our contribution here. Once they do, the CVE will go live 👍

to join this conversation