Stored/Reflected XSS in identities leads chained store XSS in logs in modoboa/modoboa
Valid
Reported on
Jan 24th 2023
Description
The XSS playload injected in the identities to create a new account leads to stored and reflected XSS in identities page and also in the logs page.
Steps to Reproduce
1. Go to admin/identities
2.Enter the payload in the username, first name and last name as these fields are not sanatized
3. This is the payload for triggering the XSS "><img src/onerror=prompt(8)> and you can see payload executed in both the accounts page
upon deletion action and the stored XSS will get triggered Logs page.
4. Please refer the POC for the same.
Proof of Concept
https://drive.google.com/file/d/1glc2cwyrmi_IwicJ5SD5n0Wuhi82AtEW/view?usp=sharing
Impact
Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.
We are processing your report and will contact the
modoboa
team within 24 hours.
2 months ago
Sandeep Srinivasan modified the report
2 months ago
Sandeep Srinivasan modified the report
2 months ago
We have contacted a member of the
modoboa
team and are waiting to hear back
2 months ago
The researcher's credibility has increased: +7
Looks fixed
commit ID eef9ab7
once it's merged please move this report to fixed and request for a CVE
commit eef9ab72b5305578a3ad7a7463bd284aa645e98b (HEAD -> master, origin/fix/xss_fixes, fix/xss_fixes)
Author: Antoine Nguyen <tonio@ngyn.org>
Date: Thu Jan 26 10:41:15 2023 +0100
Avoid XSS issues while deleting account and looking at logs.
The fix bounty has been dropped
This vulnerability has been assigned a CVE
@maintainer bounty for this vulnerability ?
Antoine Nguyen
commented
23 days ago
Modoboa is free software and we don't make money on it, so unfortunately, no bounty available.
to join this conversation