Reflected XSS in date in fossbilling/fossbilling

Valid

Reported on

Jul 1st 2023

Description

There is a reflective XSS on the FOSSBilling admin screen.

Proof of Concept

By accessing the following URL, it is possible to execute any script on the browser of the logged-in administrator user.

URL: https://localhost/admin?_url=%2Fadmin&date_to=2023-07-08&date_from=%27%22%3E%3Cimg%20src=x%20onerror=alert(3)%3E

Payload

'"><img src=x onerror=alert(3)>

Parameter

date_to
date_from

PoC Video

https://drive.google.com/file/d/1Zha4cWz-dBM8PWpmLvQUU2zHn2g_6PME/view?usp=sharing

Impact

An attacker may obtain cookies of logged-in users or perform unauthorized operations on the administrator screen.

Occurrences

ErrorPage.php L140

The payload included in the parameters is included in the error message as is.

References

OWASP: Cross Site Scripting Prevention Cheat Sheet

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago

morioka12 modified the report

3 months ago

morioka12 modified the report

3 months ago

Belle Aerni modified the Severity from Medium (6.5) to Medium (5.4) 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Belle Aerni validated this vulnerability 3 months ago

morioka12 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Belle Aerni

commented 3 months ago

Maintainer

Thanks for the report. I've submitted a PR to resolve this: https://github.com/FOSSBilling/FOSSBilling/pull/1394

Belle Aerni marked this as fixed in 0.5.4 with commit 5eb516 3 months ago

Belle Aerni has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 10th 2023

ErrorPage.php#L140 has been validated

morioka12

commented 3 months ago

Researcher

Thanks for the fix!

Belle Aerni

commented 3 months ago

Maintainer

Thanks for the report :)

Belle Aerni published this vulnerability 3 months ago

to join this conversation

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago

morioka12 modified the report

3 months ago

morioka12 modified the report

3 months ago

Belle Aerni modified the Severity from Medium (6.5) to Medium (5.4) 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Belle Aerni validated this vulnerability 3 months ago

morioka12 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Belle Aerni

commented 3 months ago

Maintainer

Thanks for the report. I've submitted a PR to resolve this: https://github.com/FOSSBilling/FOSSBilling/pull/1394

Belle Aerni marked this as fixed in 0.5.4 with commit 5eb516 3 months ago

Belle Aerni has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 10th 2023

ErrorPage.php#L140 has been validated

morioka12

commented 3 months ago

Researcher

Thanks for the fix!

Belle Aerni

commented 3 months ago

Maintainer

Thanks for the report :)

Belle Aerni published this vulnerability 3 months ago

to join this conversation