Cross-site Scripting (XSS) - Stored in Space Name in humhub/humhub
Jun 30th 2022
Cross-site Scripting (XSS) - Stored in space name. Because space name is not HTML encoded, "Confirm action" modal pops up then the script is executed.
Proof of Concept
Step 1: Create a new Space and fill in name with this payload:
Step 2: Send an invite to victim then save.
Step 3: Victim accepts the invite. Whenever he clicks on button to leave the Space, "Confirm action" modal will pop up and execute the script
By the way, the same problem also happens when victim requests to join this Space and withdraws that request.
This is PoC video
This vulnerability is capable of stealing other user's cookie (admin included).