Stored xss in "users name","functions name","storage buckets name" and in "database collections name" in appwrite/appwrite
Reported on
Jun 27th 2022
Description
Appwrite application allows malicious javascript payload to inject in users name,functions name,storage buckets name and in database collections name which leads to Stored XSS.
Proof of Concept
1.Login to the application
2.Go to the "users name","functions name","storage buckets name" and in "database collections name" and add the javascript payload.
Payload:
<img src=1 onerror=alert(document.location)>
3.Then view the created user ,function, storage bucket, database collection now XSS will trigger.
PoC video:
https://drive.google.com/file/d/1JoMQy1KTodVtIVOzH3vKcC3AwZz0PrFb/view?usp=sharing
Impact
This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.
Hello @abnegate can you please tell me when you will deploy the fix?
We're planning to release in the next few days, you can track any updates on our releases page
@admin As this report is marked as valid can I get the bounty for this report?
We are not currently offering bounties for non-sponsored projects 👍
