Reflected XSS on conversion filter function in beancount/fava

Valid

Reported on

Jul 28th 2022


Description

Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion.

Proof of Concept

  1. Navigate to Fava demo instance https://fava.pythonanywhere.com/example-beancount-file/income_statement/.
  2. Filter on conversion type and add payload on the result.
  3. Hover mouse cursor to bar chart (visualization) and XSS alert will pop up.

Endpoints

  • https://fava.pythonanywhere.com/huge-example-file/income_statement/?conversion=at_value
  • https://fava.pythonanywhere.com/example-with-budgets/income_statement/?conversion=units
  • https://fava.pythonanywhere.com/example-beancount-file/income_statement/?conversion=at_value

Payload

  1. "><img src=a onerror=alert(document.domain)>

Screenshot POC

  1. xss domain
  2. xss

Impact

This vulnerability is capable of executing a malicious javascript code in web page

We are processing your report and will contact the beancount/fava team within 24 hours. 15 days ago
We have contacted a member of the beancount/fava team and are waiting to hear back 14 days ago
din modified the report
13 days ago
beancount/fava maintainer modified the Severity from High (7.6) to Medium (6.9) 13 days ago
beancount/fava maintainer gave praise 13 days ago
Thanks for the report :) Since Fava URLs are dependent on the name of the underlying Beancount journal and the base URLs, which should be private and require a previous attack to be determined by the attacker, I've marked the attack complexity as "high"
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
beancount/fava maintainer validated this vulnerability 13 days ago
din has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
beancount/fava maintainer confirmed that a fix has been merged on 68bbb6 13 days ago
The fix bounty has been dropped
conversion.py#L1-L120 has been validated
din
13 days ago

Researcher


Thanks

to join this conversation