Cross-site Scripting (XSS) - Stored in chevereto/chevereto-free

Valid

Reported on

Jul 17th 2021


✍️ Description

Stored xss via image upload

TESTED VESRION

latest github code as of 16/7/21

🕵️‍♂️ Proof of Concept

1. First download https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert(123)%3E.jpeg image file in linux . Dont change the file name . This type file can be created in linux .
2. Now goto your account in chevereto http://localhost/Chevereto-Free/upload and upload above image .
3. Now image url will be genereated like http://localhost/Chevereto-Free/image/kwC .
4. When any user open this url then xss is executed .\

i have uploaded a demo file to https://demo.chevereto.com/image/eoYiV Your paid version may also vulnerable to this attack

VIDEO POC

https://drive.google.com/file/d/1HlWbvYayzS3_hfpkIJGBk0pCHde8JgEF/view?usp=sharing

💥 Impact

XSS bug 📍 Location index.php#L18

Occurences

ranjit-git modified their report
2 months ago
Ziding Zhang
2 months ago

Admin


Just got in touch with them. Waiting to hear back!

We have contacted a member of the chevereto/chevereto-free team and are waiting to hear back 2 months ago
chevereto/chevereto-free maintainer has invalidated this vulnerability 2 months ago
  1. Using alleged file from cloned repo didn't trigger the issue under Ubuntu 20. (Chrome, Falkon, Firefox)
  2. Accessing to http://REDACTED/Chevereto-Free/image/kwC doesn't show any alert. We tested with many browsers, even on Windows.
  3. We are unable to validate the POC.
The disclosure bounty has been dropped
The fix bounty has been dropped
chevereto/chevereto-free maintainer
2 months ago

Update: I've managed to trigger the issue by forcing the alleged XSS directly in the database. I've found that oembed was missing safe_html escaping when printing the value to HTML.

How can I re-open this?

Jamie Slome
2 months ago

Admin


Re-opened! 🎉

chevereto/chevereto-free maintainer validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
chevereto/chevereto-free maintainer
22 days ago

Hey, we've fixed this. Where we can send the money?

Jamie Slome
22 days ago

Admin


We sponsor the payment on your behalf!

If you would like to contribute to the vulnerability research into this repository, we can also support this.

Just make sure to confirm the relevant patch as well, using the confirm fix button!

chevereto/chevereto-free maintainer confirmed that a fix has been merged on 1c10ee 22 days ago
The fix bounty has been dropped
ranjit-git modified their report
22 days ago