Cross-site Scripting (XSS) - Stored in apostrophecms/apostrophe

Valid

Reported on

Jul 29th 2021


✍️ Description :

An attacker could upload a specially crafted SVG image containing malicious scripting code. When following a link to this image, the code would be executed.

🕵️‍♂️ Proof of Concept :

// PoC.js

var payload = ...
Link POC using Demo --> https://demo-ckrp2ycbk01etdvxw1myanric.apostrophecmsdemo.org/uploads/ckrp2ycbk01etdvxw1myanric/attachments/ckrp2ze0p01eydvxw81sbtqk4-xss-xml-svg-font-example-poc.svg

💥 Impact :

\.. This vulnerability is capable of... steal user session , takeover user account , make redirect user to attacker controlled site ...//

We have contacted a member of the apostrophecms/apostrophe team and are waiting to hear back a year ago
0x9x modified the report
a year ago
Alex Bea
a year ago

Thank you for the report. We are evaluating options to address this internally. I'm not able to see the report details anymore, though. Please include me (GitHub user abea), Tom (boutell), and Alex (agilbert) on the report as maintainers. You can see us all on the core team here: https://github.com/orgs/apostrophecms/people

Jamie Slome
a year ago

Admin


@abea - thanks for getting in touch. I will get this sorted for you ASAP!

Jamie Slome
a year ago

Admin


@abea - this has now been sorted for you <3

Alex Bea
a year ago

Thank you, Jamie

Alex Bea validated this vulnerability a year ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
0x9x
a year ago

Researcher


Thank you for validating the issue . Best,

0x9x
a year ago

Researcher


Thanks for confirming the issue. Best,

Tom Boutell marked this as fixed with commit c8b94e a year ago
Tom Boutell has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation