Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Valid

Reported on

Sep 29th 2021


Description:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Proof of Concept

// PoC.js
 
POC --> https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=http://example.com%22%3E%3Cimg%20src=https://httpbin.org/basic-auth/user/passwd%3E

i user can steal credentials using a login form will display 


Impact

This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back a month ago
CollectiveAccess
a month ago

Maintainer


I cannot make the POC work. Please provide additional details.

0x9x
a month ago

Researcher


Actualy we can call this an HTML injection ( a bypass for xss will take time ) this <img src=//collectiveaccess.org:81/> you can only integrate this ! to get the form .

Anyways you fixed this without any other respond !

Thanks ;)

CollectiveAccess
a month ago

Maintainer


Well we had debugging mode on for bit... which I realized was a bad idea when you are testing these things. So I turned it off again :-)

0x9x
a month ago

Researcher


no validation then ?! just turn it on and try to inject this payload <img src=//collectiveaccess.org:81/>. anyways this is an html injection i'm sure ! you can just go and confirm.

CollectiveAccess
a month ago

Maintainer


Yeah I see it. It's not something that is typically left on. It's just to see raw output.

0x9x
a month ago

Researcher


just confirm that this report is valid , cuz there was an html injection point . best,

CollectiveAccess
a month ago

Maintainer


Ok will do.

CollectiveAccess validated this vulnerability a month ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on 84eb9d a month ago
CollectiveAccess has been awarded the fix bounty
0x9x
a month ago

Researcher


Good!