Cross-site Scripting (XSS) - Reflected in area17/twill

Valid

Reported on

Sep 14th 2021


Description

The Application is vulnerable to reflected cross-site scripting attack.

URL: /contact/offices/ Parameter: offset

Proof of Concept

Open the following URL in the browser for POC.

https://demo.twill.io/contact/offices/?columns[]=bulk&filter={%22status%22:%22published%22}&offset=alert(1)&page=1&sortDir=asc&sortKey=

The provided Javascript will get executed in the browser, showing an alert.

Impact

The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
Ziding Zhang
3 months ago

Admin


Hey Melbin, I’ve emailed the maintainers for you.

We have contacted a member of the area17/twill team and are waiting to hear back 3 months ago
area17/twill maintainer
3 months ago

Hi there, thank you for reporting this. We are actively looking into preventing it. For additional context, this software is 99,99% of the time running behind user authentication (with the possibility to enable 2FA). That said, the demo instance is not, and if an attacker were to know internal urls and parameters, they could still target authenticated users, which I believe is what you are reporting. I will let you know as soon as a fix can be applied and released.

area17/twill maintainer
3 months ago

@melbinkm @zidingz the issue has been hot-fixed on the demo site and we are about to release Twill 1.2.4 and Twill 2.5.2 with that fix applied.

Melbin
3 months ago

Researcher


Thanks! Can you mark the issue valid and fixed?

Quentin Renard validated this vulnerability 3 months ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick Boivin confirmed that a fix has been merged on 2dd77b 3 months ago
Patrick Boivin has been awarded the fix bounty