Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-webapp-workflow

Valid

Reported on

Aug 20th 2021


✍️ Description

Stored Cross-Site Scripting (XSS) is the type of XSS when a user injects a maliscous javascript code into the web applacation and it gets later rendered in victim browser.

🕵️‍♂️ Proof of Concept

  1. Sign in to the application as admin
  2. Go to workflows
  3. Edit workflow and set the label of any element to below payload:
<img src=x onerror=alert(document.domain)>

The alert should pop-up and if you save it, then you can refresh the page and it should still be there.

💥 Impact

This vulnerability is capable of performing actions as a victim, executing javascript code in victims' context.

We have contacted a member of the cortezaproject/corteza-webapp-workflow team and are waiting to hear back 7 months ago
We have sent a second follow up to the cortezaproject/corteza-webapp-workflow team. We will try again in 10 days. 7 months ago
Tomaž Jerman
7 months ago

Maintainer


Nice catch. The workflow editor is not something unauthorized users should have access to; if they do, XSS is the least of your worries. We will address this sometime in the future.

@admin do you have any policy regarding approving/rejecting such cases; vulnerability inside protected/administrative tools?

Adam Nygate
7 months ago

Admin


Hey Tomaž 😊

I suppose there are two ways of looking at this, either that this issue can be seen as an impact multiplier (I.e if someone has gained unauthorised access to this control, that they could potentially do more damage through something like the theft of cookies), or that this is a non-issue as authorised users should be able to do whatever they'd like (including running arbitrary JavaScript).

It's up to you how you (and your team) would like to handle this (to validate and award the bounty or to invalidate and let users know that this is a non-issue), but probably best to set this as a precedent, so that users can consider the outcome of this report, and know what kinds of vulnerabilities to report to you in the future.

I hope this help.

  • Adam
kubolos231
7 months ago

Researcher


So what now? 🤔

We have sent a third and final follow up to the cortezaproject/corteza-webapp-workflow team. This report is now considered stale. 7 months ago
Tomaž Jerman
7 months ago

Maintainer


I've escalated it to the lead and we've agreed that this would be considered an issue. We will most likely address it with the next workflow editor UI iteration, probably in the following major release. Thank you for reporting the finding!

Tomaž Jerman validated this vulnerability 7 months ago
kubolos231 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh confirmed that a fix has been merged on 82d8f2 3 months ago
The fix bounty has been dropped
to join this conversation