Mutation Stored XSS at homepage in bookwyrm-social/bookwyrm
Jul 4th 2022
bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website (path
/#discovery) making it widely affects all users and the main website.
Proof of Concept
Edit a book description:
// PoC <math><mtext><table><mglyph><style><![CDATA ><img src=x onerror=alert('Pwned')></style><img title="]]></mglyph><img	src=1	onerror=alert('Pwned')>">
Access to the
/#feed (homepage of logged-in user) or
/#discovery (which contains the book payload) will trigger the malicious code and pop up a
The vulnerable base on the weakness of
HTMLParserthat it is not guaranteed to successfully parse all kinds of string input. You could find another replacement sanitizer, such as DOMPurify to achieve more accuracy and still support HTML.
The attacker can deface the website, leak users' sensitive data, sneakily collect data, or take advantage of other attacks (see XSS - OSWAP more details)
Hey @Mouse Reeve. Great to see your response.
Could we assign CVE for this and my other report? And if possible, adding GitHub Security Advisory (GSA) is a good practice to publish vulnerabilities. As a researcher, being credited on GSA is my pleasure and helps my work too.
I'd be happy to -- do you need me to create the CVE and add you, or is it something you can do? If I need to add you what's the right GitHub username to use?
Yeh, assigned CVE and added GHSA will be perfect for me. I would appreciate that a lot.
@vovikhangcdv is my correct Github username. Thanks for your kindness.
Should be done and pending review from GitHub. Let me know if there's anything else I need to do :)
Hey, thanks for adding me to GHSA. I have just changed the CVSS score a little bit which I believe is more suitable in our case. Please let me know if there is anything you need to explain.
Are you able to edit the CVE directly? If not, I used the calculator to get the score; can you tell me what values you used to get the score?
Look like you added me to a collaborator. So I have already changed it. I used the calculator too. I forgot the details change but such as the
scope would be
change instead of
unchange cause the vulnerability impact change from webserver to user's browser.
Hi @admin, could you please assign CVE-2022-31136 for this report?
Thank you, Jamie.