Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-webapp-workflow
Reported on
Aug 20th 2021
✍️ Description
Stored Cross-Site Scripting (XSS) is the type of XSS when a user injects a maliscous javascript code into the web applacation and it gets later rendered in victim browser.
🕵️♂️ Proof of Concept
- Sign in to the application as admin
- Go to workflows
- Edit workflow and set the label of any element to below payload:
<img src=x onerror=alert(document.domain)>
The alert should pop-up and if you save it, then you can refresh the page and it should still be there.
💥 Impact
This vulnerability is capable of performing actions as a victim, executing javascript code in victims' context.
Nice catch. The workflow editor is not something unauthorized users should have access to; if they do, XSS is the least of your worries. We will address this sometime in the future.
@admin do you have any policy regarding approving/rejecting such cases; vulnerability inside protected/administrative tools?
Hey Tomaž 😊
I suppose there are two ways of looking at this, either that this issue can be seen as an impact multiplier (I.e if someone has gained unauthorised access to this control, that they could potentially do more damage through something like the theft of cookies), or that this is a non-issue as authorised users should be able to do whatever they'd like (including running arbitrary JavaScript).
It's up to you how you (and your team) would like to handle this (to validate and award the bounty or to invalidate and let users know that this is a non-issue), but probably best to set this as a precedent, so that users can consider the outcome of this report, and know what kinds of vulnerabilities to report to you in the future.
I hope this help.
- Adam
I've escalated it to the lead and we've agreed that this would be considered an issue. We will most likely address it with the next workflow editor UI iteration, probably in the following major release. Thank you for reporting the finding!
