Cross-site Scripting (XSS) in spiral-project/ihatemoney

Valid

Reported on

Jul 15th 2022


Description

ihatemoney is vulnerable to Cross-Site Scripting (XSS) when inviting people via email.

Steps to reproduce

1.Go to https://ihatemoney.org/ and try out the demo.
2.In the bottom left, click on Invite people.
3.In the Send via Emails section, input the payload: <img src=x onerror=alert(document.domain)> into the People to notify field.
4.Click the Send the invitations button and you will see that a pop-up will display.

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the spiral-project/ihatemoney team within 24 hours. 19 days ago
We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 18 days ago
spiral-project/ihatemoney maintainer modified the Severity from High (7.3) to Medium (4.4) 18 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
spiral-project/ihatemoney maintainer validated this vulnerability 18 days ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
spiral-project/ihatemoney maintainer confirmed that a fix has been merged on 667b65 18 days ago
The fix bounty has been dropped
forms.py#L432-L444 has been validated
KhanhCM
18 days ago

Researcher


Hi @maintainer, Why the CSRF on logout vulnerability has the severity of 8.8 (High) while the XSS vulnerability in my report is only marked with the severity of 4.4 (Medium)?

KhanhCM
18 days ago

Researcher


Can you explain how you calculate the CVSS score for this report? It is a bit unfair here.
You can see the CSRF on logout vulnerability in these report:
https://hackerone.com/reports/905831 and https://bugcrowd.com/disclosures/cfe6a8ef-24a9-4c8e-b75b-5134e8e085f3/csrf-leads-to-logout-any-loggedin-user-from-their-session
The severity of them are informational or low, but in your previous report, you still accepted it with High severity.
If so, why my report with the XSS vulnerability is only Medium (4.4)? I will be very happy if I know the reason for it. Many thanks!

to join this conversation