XSS in Library Description and Synopsis in galaxyproject/galaxy

Valid

Reported on

Feb 20th 2023

Description

The 'description' and 'synopsis' fields of libraries are vulnerable to stored XSS injection. If a user sets the synopsis or description of a library to ''"><img src=x onerror=alert(1);>' they can set a stored XSS payload that fires whenever someone visits the /libraries page. Normally libraries are only editable by admins, but it is possible for admins to give edit permissions for specific libraries to regular users, meaning that this vulnerability could be used by an attacker on a normal user account if an admin gives them edit permission for a library.

Proof of Concept

As an admin, create a new library and give a normal user edit permissions. As the normal user, edit the name and synopsis of the library to be ''"><img src=x onerror=alert(1);>'. Visit the page on any account and notice that the XSS is stored in the /libraries page when anyone visits it.

Impact

An attacker can execute arbitrary Javascript in a victim's browser.

We are processing your report and will contact the galaxyproject/galaxy team within 24 hours. a month ago
We have contacted a member of the galaxyproject/galaxy team and are waiting to hear back a month ago
galaxyproject/galaxy maintainer has acknowledged this report 17 days ago
galaxyproject/galaxy maintainer validated this vulnerability 16 days ago
Russ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
galaxyproject/galaxy maintainer marked this as fixed in 23.0 with commit 44fed0 16 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Mar 7th 2023
galaxyproject/galaxy maintainer
16 days ago

Hi, would appreciate if I can get a CVE assigned for one of my reports :) Especially given the severity of this one.

galaxyproject/galaxy maintainer published this vulnerability 16 days ago
to join this conversation