Reflected XSS on conversion filter function in beancount/fava
Valid
Reported on
Jul 28th 2022
Description
Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion.
Proof of Concept
- Navigate to Fava demo instance https://fava.pythonanywhere.com/example-beancount-file/income_statement/.
- Filter on conversion type and add payload on the result.
- Hover mouse cursor to bar chart (visualization) and XSS alert will pop up.
Endpoints
- https://fava.pythonanywhere.com/huge-example-file/income_statement/?conversion=at_value
- https://fava.pythonanywhere.com/example-with-budgets/income_statement/?conversion=units
- https://fava.pythonanywhere.com/example-beancount-file/income_statement/?conversion=at_value
Payload
- "><img src=a onerror=alert(document.domain)>
Screenshot POC
Impact
This vulnerability is capable of executing a malicious javascript code in web page
Occurrences
We are processing your report and will contact the
beancount/fava
team within 24 hours.
a year ago
A
GitHub Issue
asking the maintainers to create a
SECURITY.md exists
a year ago
We have contacted a member of the
beancount/fava
team and are waiting to hear back
a year ago
din modified the report
a year ago
Thanks for the report :)
Since Fava URLs are dependent on the name of the underlying Beancount journal and the base URLs, which should be private and require a previous attack to be determined by the attacker, I've marked the attack complexity as "high"
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
conversion.py#L1-L120
has been validated
to join this conversation