Stored XSS due to no sanitization in the filename in causefx/organizr

Valid

Reported on

Apr 10th 2022


Description

The organizr application doesn't sanitize malicious javascript payload which leads to stored XSS and can also perform to the takeover admin account.

Proof of Concept

1.Login with Co-admin account and go to "Settings" -> "Image Manager" and upload any small size jpeg image and intercept the request on burp suite.

2.Then change the name of the uploaded image with the below XSS payload and forward the request:

     <img src=1 onerror=alert(1337)>.jpeg

3.Then login with admin account and go to "Settings" -> "Image Manager" and open the uploaded image by Co-admin you will see that XSS will trigger.

PoC Video

https://drive.google.com/file/d/1X8-YyNkt8-MBLY2Btezn2Wel6HLjyhtu/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the causefx/organizr team within 24 hours. a month ago
SAMPRIT DAS modified the report
a month ago
SAMPRIT DAS modified the report
a month ago
We have contacted a member of the causefx/organizr team and are waiting to hear back a month ago
causefx
a month ago

Maintainer


Not sure how to get huntr.dev to assign CVE

SAMPRIT DAS
a month ago

Researcher


@admin Can you assign CVE to this report as maintainer s agree

SAMPRIT DAS
a month ago

Researcher


maintainer no problem you just validate the report @admin will assign CVE for all those report

causefx modified the report
a month ago
causefx validated this vulnerability a month ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
causefx confirmed that a fix has been merged on a09d83 a month ago
causefx has been awarded the fix bounty
SAMPRIT DAS
a month ago

Researcher


CVSS score should be: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H admin please change it

causefx
a month ago

Maintainer


My mistake, please change the severity as said by researcher and award the bounty

causefx
a month ago

Maintainer


forgot to tag @admin sorry about that.

Jamie Slome
a month ago

Admin


Sorted 👍

SAMPRIT DAS
a month ago

Researcher


@admin Can you assign CVE to this report as the @maintainer agree

causefx
a month ago

Maintainer


@admin you can assign CVE for this report

Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation