Stored xss in "users name","functions name","storage buckets name" and in "database collections name" in appwrite/appwrite

Valid

Reported on

Jun 27th 2022


Description

Appwrite application allows malicious javascript payload to inject in users name,functions name,storage buckets name and in database collections name which leads to Stored XSS.

Proof of Concept

1.Login to the application

2.Go to the "users name","functions name","storage buckets name" and in "database collections name" and add the javascript payload.

Payload:

<img src=1 onerror=alert(document.location)>

3.Then view the created user ,function, storage bucket, database collection now XSS will trigger.

PoC video:

https://drive.google.com/file/d/1JoMQy1KTodVtIVOzH3vKcC3AwZz0PrFb/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the appwrite team within 24 hours. 2 years ago
SAMPRIT DAS modified the report
2 years ago
We have contacted a member of the appwrite team and are waiting to hear back 2 years ago
We have sent a follow up to the appwrite team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the appwrite team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the appwrite team. We will try again in 14 days. 2 years ago
Jake Barnby gave praise 2 years ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Jake Barnby validated this vulnerability 2 years ago
sampritdas8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
SAMPRIT DAS
2 years ago

Researcher


Hello @abnegate can you please tell me when you will deploy the fix?

Jake Barnby
2 years ago

Maintainer


We're planning to release in the next few days, you can track any updates on our releases page

We have sent a fix follow up to the appwrite team. We will try again in 7 days. 2 years ago
SAMPRIT DAS
2 years ago

Researcher


Okay

SAMPRIT DAS
2 years ago

Researcher


@admin As this report is marked as valid can I get the bounty for this report?

Jamie Slome
2 years ago

We are not currently offering bounties for non-sponsored projects 👍

We have sent a second fix follow up to the appwrite team. We will try again in 10 days. a year ago
appwrite/appwrite maintainer marked this as fixed in 1.0.0-RC1 with commit b5b4d9 a year ago
The fix bounty has been dropped
to join this conversation