Description

Hello Team,

Hope you are doing well.

I have found a reflected cross site scripting vulnerability in search functionality present in the module library section.

What is reflected cross site scripting?

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

This vulnerability arises on the forget password functionality in which parameter username does not proper input validation/sanitization thus results in executing malicious JavaScript payload.

Steps to reproduce:

• Add below given xss payload in the search functionality present in module library section & hit search.
• Payload will be executed. Now copy the url & share with the victim user.
• Payload will be executed in victim users browser if he/she is authenticated.

Vulnerable URL/Endpoint:

http://127.0.0.1:8080/pandora_console/index.php?sec=gmodule_library&sec2=godmode/module_library/module_library_view&tab=search_module&search=%22%3E%3Ch1%3E%3Cu%3E%3Ci%3Elol123%3C/i%3E%3C/u%3E%3C/h1%3E%3Cscript%3Ealert(document.domain);//

Proof of Concept

https://drive.google.com/drive/folders/18HMChOYvPjqqwhtJX4UVGyIFgJ1mY8KN?usp=sharing

Payload Used = "><h1><u><i>lol123</i></u></h1><script>alert(document.domain);//

Impact

Impact of this vulnerability is

• Perform any action within the application that the user can perform.
• View any information that the user is able to view.
• Modify any information that the user is able to modify.
• Session hijacking as the JavaScript code can easily access session cookie since the httponly flag is set to false.

Mitigation:

• Implement security headers such as X-XSS-Protection, CSP for added layer of protection.
• Proper input validation and sanitization should be performed.
• Proper output encoding should be performed.