XSS in Markdown Events in alfio-event/alf.io

Valid

Reported on

Dec 7th 2022


Description

XSS Vulnerability in the Events and Markdown features

Proof of Concept

  1. Login to the dashboard

  2. Insert or Edit Events in the Description and Link

  3. Payload like that

[Link](javascript:alert(1))
[Link](data:text/html,s<script>alert(1) </script>)

POC:

https://drive.google.com/file/d/1WiNd8lgEjmSpUe4b0LCoKyFw47nsw45s/view?usp=sharing

https://drive.google.com/file/d/1s01gohZ3wQczDdYaC-sNNZ6g0WtOxwSK/view?usp=sharing

https://drive.google.com/file/d/1PCkUhsUI8JTJXMhTwHfSAgoYwIw2y86t/view?usp=sharing

Impact

Run Javascript Code on User Browser

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Sylvain Jermini validated this vulnerability a year ago

hi @reza.duty , I mark this issue as Valid. It should be noted it must be done by the admin/event creator itself and it should preview the data and click the link, which is quite a contrived scenario, but anyway, good catch! We appreciate it.

We already did a fix by filtering out any non http / https protocols, which should handle this specific case.

Thank you.

rezaduty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sylvain Jermini marked this as fixed in Alf.io 2.0-M4-2301 with commit 21cb28 a year ago
Sylvain Jermini has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation