Mutation Stored XSS at homepage in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 4th 2022

Description

bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website (path /#feed or /#discovery) making it widely affects all users and the main website.

Proof of Concept

Edit a book description:

// PoC
<math><mtext><table><mglyph><style><![CDATA ><img src=x onerror=alert('Pwned')></style><img title="]]&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert('Pwned')&gt;">

Access to the /#feed (homepage of logged-in user) or /#discovery (which contains the book payload) will trigger the malicious code and pop up a Pwned alert.

Link video PoC Mutation XSS

Suggestion

The vulnerable base on the weakness of HTMLParserthat it is not guaranteed to successfully parse all kinds of string input. You could find another replacement sanitizer, such as DOMPurify to achieve more accuracy and still support HTML.

Impact

The attacker can deface the website, leak users' sensitive data, sneakily collect data, or take advantage of other attacks (see XSS - OSWAP more details)

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
Khang Vo (doublevkay) modified the report
a year ago
Khang Vo (doublevkay) modified the report
a year ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a year ago
Mouse Reeve validated this vulnerability a year ago
Khang Vo (doublevkay) has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.1 with commit fe33fd a year ago
Mouse Reeve has been awarded the fix bounty
This vulnerability will not receive a CVE
Mouse Reeve gave praise a year ago
Thanks for flagging!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Khang
a year ago

Researcher

Hey @Mouse Reeve. Great to see your response.

Could we assign CVE for this and my other report? And if possible, adding GitHub Security Advisory (GSA) is a good practice to publish vulnerabilities. As a researcher, being credited on GSA is my pleasure and helps my work too.

Mouse Reeve
a year ago

Maintainer

I'd be happy to -- do you need me to create the CVE and add you, or is it something you can do? If I need to add you what's the right GitHub username to use?

Khang
a year ago

Researcher

Yeh, assigned CVE and added GHSA will be perfect for me. I would appreciate that a lot. @vovikhangcdv is my correct Github username. Thanks for your kindness.

Mouse Reeve
a year ago

Maintainer

Should be done and pending review from GitHub. Let me know if there's anything else I need to do :)

Khang
a year ago

Researcher

Hey, thanks for adding me to GHSA. I have just changed the CVSS score a little bit which I believe is more suitable in our case. Please let me know if there is anything you need to explain.

Mouse Reeve
a year ago

Maintainer

Are you able to edit the CVE directly? If not, I used the calculator to get the score; can you tell me what values you used to get the score?

Khang
a year ago

Researcher

Look like you added me to a collaborator. So I have already changed it. I used the calculator too. I forgot the details change but such as the scope would be change instead of unchange cause the vulnerability impact change from webserver to user's browser.

Khang
10 months ago

Researcher

Hi @admin, could you please assign CVE-2022-31136 for this report?

Jamie Slome
10 months ago

Admin

Sorted :)

Khang
10 months ago

Researcher

Thank you, Jamie.

to join this conversation