Cross-site Scripting (XSS) - Stored in utmsigep/member-directory

Reported on May 15th 2021

✍️ Description

Donor creation is vulnerable to stored XSS originating from donor creation due to missing sanitization on user input.

🕵️‍♂️ Proof of Concept

  • Select a member-status/group - Create Member
  • Enter an XSS payload into the directory notes field, eg. <img src=x onerror="alert('dir notes')" />
  • Hit save. Upon refreshing/navigating away and back to the page, the XSS payload stored in directory notes will execute.

💥 Impact

Cross-site Scripting (XSS) is an attack vector that allows arbitrary code execution on a vulnerable page, which may lead to more severe impact such as session theft, data theft, phishing and malicious/unintended processing on the client-side. Stored XSS is a persistent vector and can deliver higher impact than reflected payloads.