Mutation Stored XSS at homepage in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 4th 2022


Description

bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website (path /#feed or /#discovery) making it widely affects all users and the main website.

Proof of Concept

Edit a book description:

// PoC
<math><mtext><table><mglyph><style><![CDATA ><img src=x onerror=alert('Pwned')></style><img title="]]&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert('Pwned')&gt;">

Access to the /#feed (homepage of logged-in user) or /#discovery (which contains the book payload) will trigger the malicious code and pop up a Pwned alert.

Link video PoC Mutation XSS

Suggestion

The vulnerable base on the weakness of HTMLParserthat it is not guaranteed to successfully parse all kinds of string input. You could find another replacement sanitizer, such as DOMPurify to achieve more accuracy and still support HTML.

Impact

The attacker can deface the website, leak users' sensitive data, sneakily collect data, or take advantage of other attacks (see XSS - OSWAP more details)

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago
Khang Vo (doublevkay) modified the report
a month ago
Khang Vo (doublevkay) modified the report
a month ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago
Mouse Reeve validated this vulnerability a month ago
Khang Vo (doublevkay) has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on fe33fd a month ago
Mouse Reeve has been awarded the fix bounty
Mouse Reeve gave praise a month ago
Thanks for flagging!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Khang
a month ago

Researcher


Hey @Mouse Reeve. Great to see your response.

Could we assign CVE for this and my other report? And if possible, adding GitHub Security Advisory (GSA) is a good practice to publish vulnerabilities. As a researcher, being credited on GSA is my pleasure and helps my work too.

Mouse Reeve
a month ago

Maintainer


I'd be happy to -- do you need me to create the CVE and add you, or is it something you can do? If I need to add you what's the right GitHub username to use?

Khang
a month ago

Researcher


Yeh, assigned CVE and added GHSA will be perfect for me. I would appreciate that a lot. @vovikhangcdv is my correct Github username. Thanks for your kindness.

Mouse Reeve
a month ago

Maintainer


Should be done and pending review from GitHub. Let me know if there's anything else I need to do :)

Khang
a month ago

Researcher


Hey, thanks for adding me to GHSA. I have just changed the CVSS score a little bit which I believe is more suitable in our case. Please let me know if there is anything you need to explain.

Mouse Reeve
a month ago

Maintainer


Are you able to edit the CVE directly? If not, I used the calculator to get the score; can you tell me what values you used to get the score?

Khang
a month ago

Researcher


Look like you added me to a collaborator. So I have already changed it. I used the calculator too. I forgot the details change but such as the scope would be change instead of unchange cause the vulnerability impact change from webserver to user's browser.

Khang
22 days ago

Researcher


Hi @admin, could you please assign CVE-2022-31136 for this report?

Jamie Slome
22 days ago

Admin


Sorted :)

Khang
22 days ago

Researcher


Thank you, Jamie.

to join this conversation