Multiple Stored XSS in filamentphp/filament

Valid

Reported on

Jul 3rd 2022

✍️ Description

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw, it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing.

Proof of Concept

Check this video for POC: Video

Impact

This can allow attackers to execute arbitrary JavaScript code in different contexts for different purposes (eg: a malicious attacker could potentially steal the victim's session cookies and completely takeover their accounts).

Ways to exploit:

1- This vulnerability is already affecting other repositories using the markdown for user input's

2- the Markdown editor is associated with user inputs like "author, post, ..." (eg: a malicious "author" could exploit this cross site scripting vulnerability to takeover the admin account"

Occurrences

MarkdownEditor.php L1-L30

We are processing your report and will contact the filamentphp/filament team within 24 hours. a year ago

We have contacted a member of the filamentphp/filament team and are waiting to hear back a year ago

A filamentphp/filament maintainer

commented a year ago

Maintainer

This issue was fixed yesterday after a report from the creator of Ploi Roadmap. @admin how should I resolve this ticket, does he get a bounty?

Jamie Slome

commented a year ago

Admin

It is funny, because @0x7zed reported this to Ploi Roadmap, and as a result, I imagine the maintainer got in touch with you 😂

I think @0x7zed deserves the bounty and for the report to be marked as valid, AS LONG AS you believe this to be a valid vulnerability, deserving a fix.

Let me know your thoughts on the above :)

A filamentphp/filament maintainer modified the Severity from High to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A filamentphp/filament maintainer validated this vulnerability a year ago

0x7zed has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A filamentphp/filament maintainer marked this as fixed in 2.13.21 with commit 2d2c95 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

MarkdownEditor.php#L1-L30 has been validated

A filamentphp/filament maintainer gave praise a year ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation

We are processing your report and will contact the filamentphp/filament team within 24 hours. a year ago

We have contacted a member of the filamentphp/filament team and are waiting to hear back a year ago

A filamentphp/filament maintainer

commented a year ago

Maintainer

This issue was fixed yesterday after a report from the creator of Ploi Roadmap. @admin how should I resolve this ticket, does he get a bounty?

Jamie Slome

commented a year ago

Admin

It is funny, because @0x7zed reported this to Ploi Roadmap, and as a result, I imagine the maintainer got in touch with you 😂

I think @0x7zed deserves the bounty and for the report to be marked as valid, AS LONG AS you believe this to be a valid vulnerability, deserving a fix.

Let me know your thoughts on the above :)

A filamentphp/filament maintainer modified the Severity from High to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A filamentphp/filament maintainer validated this vulnerability a year ago

0x7zed has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A filamentphp/filament maintainer marked this as fixed in 2.13.21 with commit 2d2c95 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

MarkdownEditor.php#L1-L30 has been validated

A filamentphp/filament maintainer gave praise a year ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation