Cross-site Scripting (XSS) - Stored in apostrophecms/apostrophe

Valid

Reported on

Jul 29th 2021


✍️ Description :

An attacker could upload a specially crafted SVG image containing malicious scripting code. When following a link to this image, the code would be executed.

🕵️‍♂️ Proof of Concept :

// PoC.js

var payload = ...
Link POC using Demo --> https://demo-ckrp2ycbk01etdvxw1myanric.apostrophecmsdemo.org/uploads/ckrp2ycbk01etdvxw1myanric/attachments/ckrp2ze0p01eydvxw81sbtqk4-xss-xml-svg-font-example-poc.svg

💥 Impact :

\.. This vulnerability is capable of... steal user session , takeover user account , make redirect user to attacker controlled site ...//

We have contacted a member of the apostrophecms/apostrophe team and are waiting to hear back 4 months ago
0x9x modified their report
4 months ago
Alex Bea
4 months ago

Maintainer


Thank you for the report. We are evaluating options to address this internally. I'm not able to see the report details anymore, though. Please include me (GitHub user abea), Tom (boutell), and Alex (agilbert) on the report as maintainers. You can see us all on the core team here: https://github.com/orgs/apostrophecms/people

Jamie Slome
4 months ago

Admin


@abea - thanks for getting in touch. I will get this sorted for you ASAP!

Jamie Slome
4 months ago

Admin


@abea - this has now been sorted for you <3

Alex Bea
4 months ago

Maintainer


Thank you, Jamie

Alex Bea validated this vulnerability 4 months ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
0x9x
4 months ago

Researcher


Thank you for validating the issue . Best,

0x9x
4 months ago

Researcher


Thanks for confirming the issue. Best,

Tom Boutell confirmed that a fix has been merged on c8b94e 3 months ago
Tom Boutell has been awarded the fix bounty