Stored XSS in application name. in autolab/autolab

Valid

Reported on

May 11th 2022


Description

Hi there, there is a stored XSS in Oauth application name.

Proof of Concept

  1. Install a local instance of Autolab.
  2. Go to /oauth/applications and create a new application with name <img src=a onerror=alert(document.cookie)>.
  3. Click on Authorize and see that a pop up appears with user's cookies.

Link to POC https://drive.google.com/file/d/1r4bwjW803k_8RhNXAyRZK6Qa6hU6W9cS/view?usp=sharing

Impact

Stored XSS, cookies steal.

We are processing your report and will contact the autolab team within 24 hours. 17 days ago
We have contacted a member of the autolab team and are waiting to hear back 16 days ago
Joey Wildman modified the Severity from Critical to Low 15 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Joey Wildman validated this vulnerability 15 days ago

We have verified this issue and are working on a fix.

justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Damian Ho confirmed that a fix has been merged on a0a241 14 days ago
Damian Ho has been awarded the fix bounty
to join this conversation