Cross-site Scripting (XSS) - Stored in nuxsmin/syspass

Valid

Reported on

May 31st 2022


Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding.

Proof of Concept

1.Access demo website https://demo.syspass.org and login with an account.

2.Create new account, in URL/IP field -> input https://google.com" onclick="alert(document.domain) -> payload will escape from href and title attribute -> Set permission to public for all account

3.Save account -> anyother accounts try to access the URL/IP asssigned to that account -> an alert box will pop up.

Image

1

Impact

1.Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

2.Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. a month ago
dungtuanha modified the report
a month ago
dungtuanha modified the report
a month ago
dungtuanha modified the report
a month ago
We have contacted a member of the nuxsmin/syspass team and are waiting to hear back 25 days ago
We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. 22 days ago
nuxsmin/syspass maintainer has acknowledged this report 22 days ago
nuxsmin gave praise 22 days ago
Many thanks for your contribution!!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
nuxsmin modified the Severity from Critical (9) to Medium (4.8) 22 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
nuxsmin validated this vulnerability 22 days ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nuxsmin confirmed that a fix has been merged on 4da4d0 22 days ago
The fix bounty has been dropped
search-rows.inc#L107 has been validated
jhond0e
14 days ago

Hi, your demo website (demo.syspass.org) is always vulnerable to this issue.

to join this conversation