Stored/Reflected XSS in identities leads chained store XSS in logs in modoboa/modoboa
Reported on
Jan 24th 2023
Description
The XSS playload injected in the identities to create a new account leads to stored and reflected XSS in identities page and also in the logs page.
Steps to Reproduce
1. Go to admin/identities
2.Enter the payload in the username, first name and last name as these fields are not sanatized
3. This is the payload for triggering the XSS "><img src/onerror=prompt(8)> and you can see payload executed in both the accounts page
upon deletion action and the stored XSS will get triggered Logs page.
4. Please refer the POC for the same.
Proof of Concept
https://drive.google.com/file/d/1glc2cwyrmi_IwicJ5SD5n0Wuhi82AtEW/view?usp=sharing
Impact
Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user’s machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.
Here is a fix: https://github.com/modoboa/modoboa/pull/2763
Looks fixed
commit ID eef9ab7
once it's merged please move this report to fixed and request for a CVE
commit eef9ab72b5305578a3ad7a7463bd284aa645e98b (HEAD -> master, origin/fix/xss_fixes, fix/xss_fixes)
Author: Antoine Nguyen <tonio@ngyn.org>
Date: Thu Jan 26 10:41:15 2023 +0100
Avoid XSS issues while deleting account and looking at logs.
@maintainer bounty for this vulnerability ?
any update about the bounty @maintainer
Modoboa is free software and we don't make money on it, so unfortunately, no bounty available.