Stored HTML injection to XSS in kimai/kimai
Reported on
Mar 26th 2023
Team,
I hope you are all doing well.
*. I wanted to bring to your attention a potential vulnerability on the website https://wearenotloosers.kimai.cloud.
*. During my research, I discovered that the user name fields are vulnerable to a stored HTML injection attack.
*. Which is reflecting while inviting user part.
Proof of Concept:
*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.
*. The link for the video is provided below for your review:
https://drive.google.com/file/d/1KffmMn5WtzwFQGEABiHJN5Rd8cui_Zz4/view?usp=sharing
Reproduction Steps:
*. Go to the website https://wearenotloosers.kimai.cloud/
*. Edit your profile.
*. Change username as <a href=https://hackerbro.in>HBT-HACKER BRO TECHNOLOGIES</a>
*. Store it.
*. Then, move on to the team, and create new team.
*. Now, select the user which is holding the user name as <a href=https://hackerbro.in>HBT-HACKER BRO TECHNOLOGIES</a>
*. Check that part rendered the html injection.
*. Which will do open redirect to malicious sites.
*. That's the issue.
Impact
*. A stored HTML injection attack occurs when an attacker injects malicious HTML code into legitimate HTML code of a web application.
*. This vulnerability can lead to various types of attacks, including open redirects, phishing attempts, and browser hijacking.
*. Additionally, an attacker can gain access to the victim's IP address, latitude and longitude, and potentially carry out a camera phishing attack.
*. Overall, a stored HTML injection vulnerability can have severe consequences and it is important to prevent and mitigate this type of attack.
Solution:
*. Restrict special characters and HTML encode attributes in the input fields.
*. Use regular expressions or other techniques to detect and reject malicious input.
*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.
*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.
Team,
I have escalated stored html injection to the xss.
XSS poc:
https://drive.google.com/file/d/1jQ9fVDrWgvbt7Oa4M5b_0kPjg2uvhG5X/view?usp=sharing
Payload:
"><img src="x" onmouseover="prompt(1);">
Hi Kevin,
Thanks for being updated ASAP.
I run a Software market, were we can create and sell applications and softwares. Which is called as Codify360 Technologies. I am looking for authors who can sell their scripts to our clients. I am planning to upload 100 plus erps before starting advertisement and marketing. I would like to invite you as a author. Hope you will be interested in this one.
Another important point is, if you are really satisfied with my findings in kimai, kindly give five star rating in Hacker Bro Technologies google my business page. Just do google search Hacker Bro Technologies and update review about my findings with good content and five star.
Thanks, much appreciated if you help to grow a young entrepreneur.
@admin Can you delete this comment once getting after update from the Kevin? If you even update review for Hacker Bro Technologies much appreciated.
Cheers!
Okay, that's nice. @admin can you delete the above comment, I think kevin was done with reading it out.
Just to clarify: the Kimai version running in the Cloud is not yet released, so this does not need a CVE.