Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

Valid

Reported on

Apr 23rd 2022


Description

Stored XSS found due to long name summarize

Proof of Concept

1.First, access the latest version of the demo environment. https://www.rosariosis.org/demonstration/index.php

2.Then log in with your teacher account (teacher/teacher)

3.After logging in, access to add an assignment.

4.Then enter the assignment's name with a payload contain more than 37 letter such as 12345678" onmouseover="alert(origin) -> a span tag will show up at student / parent view when they access assignment lists that i can escape from title attribute

5.Finally, save the assignment.

6.Log in from here with your student's or parent's account

7.After logging in, access page that can see the list of assignment https://www.rosariosis.org/demonstration/Modules.php?modname=misc/Portal.php

-> An alert box will show up when student try to open that assignment.

image

Impact

This vulnerability can be arbitrarily executed javascript code, steal user'cookie, etc...

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
François
a month ago

Maintainer


Hello @dungtuanha

Thank you for reporting the issue. Version 9.0 will escape HTML attributes program wide, so hopefully it is not found anywhere else.

François Jacquet validated this vulnerability a month ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on be5bf1 a month ago
François Jacquet has been awarded the fix bounty
to join this conversation