Multiple Stored XSS in filamentphp/filament

Valid

Reported on

Jul 3rd 2022


✍️ Description

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw, it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing.

Proof of Concept

Check this video for POC: Video

Impact

This can allow attackers to execute arbitrary JavaScript code in different contexts for different purposes (eg: a malicious attacker could potentially steal the victim's session cookies and completely takeover their accounts).

Ways to exploit:

1- This vulnerability is already affecting other repositories using the markdown for user input's

2- the Markdown editor is associated with user inputs like "author, post, ..." (eg: a malicious "author" could exploit this cross site scripting vulnerability to takeover the admin account"

We are processing your report and will contact the filamentphp/filament team within 24 hours. a month ago
We have contacted a member of the filamentphp/filament team and are waiting to hear back a month ago
filamentphp/filament maintainer
a month ago

Maintainer


This issue was fixed yesterday after a report from the creator of Ploi Roadmap. @admin how should I resolve this ticket, does he get a bounty?

Jamie Slome
a month ago

Admin


It is funny, because @0x7zed reported this to Ploi Roadmap, and as a result, I imagine the maintainer got in touch with you 😂

I think @0x7zed deserves the bounty and for the report to be marked as valid, AS LONG AS you believe this to be a valid vulnerability, deserving a fix.

Let me know your thoughts on the above :)

filamentphp/filament maintainer modified the Severity from High to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
filamentphp/filament maintainer validated this vulnerability a month ago
0x7zed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
filamentphp/filament maintainer confirmed that a fix has been merged on 2d2c95 a month ago
The fix bounty has been dropped
MarkdownEditor.php#L1-L30 has been validated
filamentphp/filament maintainer gave praise a month ago
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation