Stored HTML injection and Potential Cross Site Scripting in pixelfed ≤ 0.11.4 in pixelfed/pixelfed
Reported on
Feb 21st 2023
Description
pixelfed ≤ 0.11.4 is affected by HTML injection and Potential Cross Site Scripting vulnerability.
Steps to Reproduce:
1.Choose any server from https://pixelfed.org/servers and go to registration page.
2.Enter your username, email, password and enter following payload on "Name" parameter and click on signup.
"><iframe/onload=alert()>
"><i><h1>HTML INJECTION</h1></i>
- Now cross site scripting will be triggered.
4.Malicious code will be triggered on any user's web session who visits the attackers profile.
Proof Of Concept : https://drive.google.com/file/d/1W1HM3yEy0JTMhhlxd-2rzOPpF1b1Kj9U/view?usp=share_link
Impact
This vulnerability allows attacker to embed malicious code in users profile. An devastating impact may cause any user visiting attacker's profile his cookies can be hijacked and attacker can takeover any users account. Or can run javascript payload on profile visitors web session since our profile can be viewed by any person just by sending a link.
Occurrences
References
Its executing everywhere : https://drive.google.com/file/d/1D2tV8_1qbWluSRfjfYKZc3hQLY9OG-bo/view?usp=share_link
Dear @maintainer ,
Can you assign an CVE :) .
Regards, Suvam
Dear @maintainer, Its possible for attacker to create a global variable x in JavaScript containing one value as "document.cookie" and another one that alerts it.
Visit this page http://15.rs. Attacker can load external javascript from shortest domain possible and load malicious javascript on victims web session.
Regards, @whoisshuva