monica

vulnerability cross-site scripting (xss) - stored (cwe-79)
severity 7.3
language php
registry other

Vulnerability

Site wide stored cross site scripting via Client Side Template Injection (Authenticated)

✍️ Description

The blade templates are trying to echo the data directly into Vue JS components which can be used to inject the Vue JS templates resulting in Client Side Template Injection.

🕵️‍♂️ Proof of Concept

  1. Given you have installed the CRM, login and click on "Add Someone"
  2. In the name field, enter the payload {{ alert('xss') }}
  3. As you click add, the XSS payload is uploaded to the database and the JavaScript code runs.

PoC

Why it happens

Monica CRM is built on Laravel and uses Vue JS for its frontend. In Vue JS, we can define a template to print data in HTML DOM with curly braces like {{ message }}. But if an attacker is capable of injecting these client side templates in the DOM, he can also execute JavaScript. Since blade templates are used to generate these Vue JS components in Laravel, the attacker can store his Vue JS template in the database and the blade would echo it in the Vue JS component making it a valid Vue JS template.

Mitigation

The vulnerability is widespread across all the frontend. To fix this, data should be loaded from an API in the frontend JavaScript app.

💥 Impact

Cross Site Scripting allows an attacker to execute arbitrary JavaScript on a victim's device which can be used to takeover the victim's account or perform any critical action on behalf of victim.

References