Cross-site Scripting (XSS) - Stored in Space Name in humhub/humhub

Valid

Reported on

Jun 30th 2022


Description

Cross-site Scripting (XSS) - Stored in space name. Because space name is not HTML encoded, "Confirm action" modal pops up then the script is executed.

Proof of Concept

Step 1: Create a new Space and fill in name with this payload: "><script>alert(1)</script>. image

Step 2: Send an invite to victim then save. image

Step 3: Victim accepts the invite. Whenever he clicks on button to leave the Space, "Confirm action" modal will pop up and execute the script <script>alert(1)</script> image

image

By the way, the same problem also happens when victim requests to join this Space and withdraws that request. image

This is PoC video

Impact

This vulnerability is capable of stealing other user's cookie (admin included).

We are processing your report and will contact the humhub team within 24 hours. a month ago
komega2409 modified the report
a month ago
komega2409
a month ago

Researcher


@admin @maintainer Excuse me, any updates for this report?

Jamie Slome
a month ago

Admin


Please allow for our system to reach out to the maintainers of the project. An initial e-mail should be sent in a couple of hours. You will see the status update in the chat logs below 👇

We have contacted a member of the humhub team and are waiting to hear back a month ago
Lucas Bartholemy validated this vulnerability a month ago
komega2409 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the humhub team. We will try again in 7 days. a month ago
Lucas Bartholemy confirmed that a fix has been merged on f88991 a month ago
The fix bounty has been dropped
komega2409
a month ago

Researcher


@admin Could you assign CVE for this report?

Jamie Slome
a month ago

Admin


Happy to do so if the maintainer gives their approval 👍

to join this conversation