Cross-site Scripting (XSS) in spiral-project/ihatemoney

Valid

Reported on

Jul 15th 2022

Description

ihatemoney is vulnerable to Cross-Site Scripting (XSS) when inviting people via email.

Steps to reproduce

1.Go to https://ihatemoney.org/ and try out the demo.
2.In the bottom left, click on Invite people.
3.In the Send via Emails section, input the payload: <img src=x onerror=alert(document.domain)> into the People to notify field.
4.Click the Send the invitations button and you will see that a pop-up will display.

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

Occurrences

forms.py L432-L444

We are processing your report and will contact the spiral-project/ihatemoney team within 24 hours. 10 months ago

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 10 months ago

A spiral-project/ihatemoney maintainer modified the Severity from High (7.3) to Medium (4.4) 10 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A spiral-project/ihatemoney maintainer validated this vulnerability 10 months ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A spiral-project/ihatemoney maintainer marked this as fixed in 5.2.1 with commit 667b65 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

forms.py#L432-L444 has been validated

KhanhCM

commented 10 months ago

Researcher

Hi @maintainer, Why the CSRF on logout vulnerability has the severity of 8.8 (High) while the XSS vulnerability in my report is only marked with the severity of 4.4 (Medium)?

KhanhCM

commented 10 months ago

Researcher

Can you explain how you calculate the CVSS score for this report? It is a bit unfair here.
You can see the CSRF on logout vulnerability in these report:
https://hackerone.com/reports/905831 and https://bugcrowd.com/disclosures/cfe6a8ef-24a9-4c8e-b75b-5134e8e085f3/csrf-leads-to-logout-any-loggedin-user-from-their-session
The severity of them are informational or low, but in your previous report, you still accepted it with High severity.
If so, why my report with the XSS vulnerability is only Medium (4.4)? I will be very happy if I know the reason for it. Many thanks!

to join this conversation

We are processing your report and will contact the spiral-project/ihatemoney team within 24 hours. 10 months ago

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 10 months ago

A spiral-project/ihatemoney maintainer modified the Severity from High (7.3) to Medium (4.4) 10 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A spiral-project/ihatemoney maintainer validated this vulnerability 10 months ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A spiral-project/ihatemoney maintainer marked this as fixed in 5.2.1 with commit 667b65 10 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

forms.py#L432-L444 has been validated

KhanhCM

commented 10 months ago

Researcher

Hi @maintainer, Why the CSRF on logout vulnerability has the severity of 8.8 (High) while the XSS vulnerability in my report is only marked with the severity of 4.4 (Medium)?

KhanhCM

commented 10 months ago

Researcher

to join this conversation