Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Nov 27th 2021
I found XSS in the file upload function of the message function.
Proof of Concept
1.First, access the latest version of the demo environment.
2.Then log in with your student account.
Student: username and password “student“
3.After logging in, access "MESSAGING > Write" from the menu on the left. (
4.Then enter the title and message as appropriate.
5.Now upload the SVG file containing XSS to "File Attached".
6.Finally, select "Teach Teacher" as the destination and send.
7.Log in from here with your teacher's account.
Teacher: username and password “teacher“
8.After logging in, access "MESSAGING > Messages" from the menu and select the message you just sent.
9.Then click on the last attached file and a pop-up screen will appear.
This vulnerability can steal a user's cookie.
Thank you very much for your report. SVG upload has been disabled for now. I may introduce SVG sanitize routine in the future.
@maintainer , I would be glad if you could approve for CVE.
@admin can you pls assign a CVE for this?
Same here, I would recommend dropping a comment on the commit SHA as we require the maintainer(s) go ahead to publish a CVE 👍
@morioka12 I approve the CVE.
Thanks to François Jacquet for the approval.
@admin , I got approval from the maintainer.
The CVE has been assigned and will be published automatically in the next couple of hours 👍
Thank you very much !