Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-webapp-workflow


Reported on

Aug 20th 2021

✍️ Description

Stored Cross-Site Scripting (XSS) is the type of XSS when a user injects a maliscous javascript code into the web applacation and it gets later rendered in victim browser.

🕵️‍♂️ Proof of Concept

  1. Sign in to the application as admin
  2. Go to workflows
  3. Edit workflow and set the label of any element to below payload:
<img src=x onerror=alert(document.domain)>

The alert should pop-up and if you save it, then you can refresh the page and it should still be there.

💥 Impact

This vulnerability is capable of performing actions as a victim, executing javascript code in victims' context.

We have contacted a member of the cortezaproject/corteza-webapp-workflow team and are waiting to hear back 2 years ago
We have sent a second follow up to the cortezaproject/corteza-webapp-workflow team. We will try again in 10 days. 2 years ago
Tomaž Jerman
2 years ago


Nice catch. The workflow editor is not something unauthorized users should have access to; if they do, XSS is the least of your worries. We will address this sometime in the future.

@admin do you have any policy regarding approving/rejecting such cases; vulnerability inside protected/administrative tools?

Adam Nygate
2 years ago


Hey Tomaž 😊

I suppose there are two ways of looking at this, either that this issue can be seen as an impact multiplier (I.e if someone has gained unauthorised access to this control, that they could potentially do more damage through something like the theft of cookies), or that this is a non-issue as authorised users should be able to do whatever they'd like (including running arbitrary JavaScript).

It's up to you how you (and your team) would like to handle this (to validate and award the bounty or to invalidate and let users know that this is a non-issue), but probably best to set this as a precedent, so that users can consider the outcome of this report, and know what kinds of vulnerabilities to report to you in the future.

I hope this help.

  • Adam
2 years ago


So what now? 🤔

We have sent a third and final follow up to the cortezaproject/corteza-webapp-workflow team. This report is now considered stale. 2 years ago
Tomaž Jerman
2 years ago


I've escalated it to the lead and we've agreed that this would be considered an issue. We will most likely address it with the next workflow editor UI iteration, probably in the following major release. Thank you for reporting the finding!

Tomaž Jerman validated this vulnerability 2 years ago
kubolos231 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh marked this as fixed in 2022.3.x with commit 82d8f2 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


Can I get a CVE for this vuln?

to join this conversation