XSS in Markdown Events in alfio-event/alf.io

Valid

Reported on

Dec 7th 2022

Description

XSS Vulnerability in the Events and Markdown features

Proof of Concept

  1. Login to the dashboard

  2. Insert or Edit Events in the Description and Link

  3. Payload like that

[Link](javascript:alert(1))
[Link](data:text/html,s<script>alert(1) </script>)

POC:

https://drive.google.com/file/d/1WiNd8lgEjmSpUe4b0LCoKyFw47nsw45s/view?usp=sharing

https://drive.google.com/file/d/1s01gohZ3wQczDdYaC-sNNZ6g0WtOxwSK/view?usp=sharing

https://drive.google.com/file/d/1PCkUhsUI8JTJXMhTwHfSAgoYwIw2y86t/view?usp=sharing

Impact

Run Javascript Code on User Browser

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 4 months ago
Sylvain Jermini validated this vulnerability 4 months ago

hi @reza.duty , I mark this issue as Valid. It should be noted it must be done by the admin/event creator itself and it should preview the data and click the link, which is quite a contrived scenario, but anyway, good catch! We appreciate it.

We already did a fix by filtering out any non http / https protocols, which should handle this specific case.

Thank you.

reza.duty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sylvain Jermini marked this as fixed in Alf.io 2.0-M4-2301 with commit 21cb28 3 months ago
Sylvain Jermini has been awarded the fix bounty
This vulnerability has been assigned a CVE
Sylvain Jermini published this vulnerability 3 months ago
to join this conversation