XSS in Library Description and Synopsis in galaxyproject/galaxy
Feb 20th 2023
The 'description' and 'synopsis' fields of libraries are vulnerable to stored XSS injection. If a user sets the synopsis or description of a library to ''"><img src=x onerror=alert(1);>' they can set a stored XSS payload that fires whenever someone visits the /libraries page. Normally libraries are only editable by admins, but it is possible for admins to give edit permissions for specific libraries to regular users, meaning that this vulnerability could be used by an attacker on a normal user account if an admin gives them edit permission for a library.
Proof of Concept
As an admin, create a new library and give a normal user edit permissions. As the normal user, edit the name and synopsis of the library to be ''"><img src=x onerror=alert(1);>'. Visit the page on any account and notice that the XSS is stored in the /libraries page when anyone visits it.
Hi, would appreciate if I can get a CVE assigned for one of my reports :) Especially given the severity of this one.