Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Valid

Reported on

Sep 29th 2021

Description:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Proof of Concept

// PoC.js
 
POC --> https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=http://example.com%22%3E%3Cimg%20src=https://httpbin.org/basic-auth/user/passwd%3E

i user can steal credentials using a login form will display

Impact

This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

References

https://newbedev.com/what-could-an-img-src-xss-do

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 years ago

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

I cannot make the POC work. Please provide additional details.

0x9x

commented 2 years ago

Researcher

Actualy we can call this an HTML injection ( a bypass for xss will take time ) this <img src=//collectiveaccess.org:81/> you can only integrate this ! to get the form .

Anyways you fixed this without any other respond !

Thanks ;)

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

Well we had debugging mode on for bit... which I realized was a bad idea when you are testing these things. So I turned it off again :-)

0x9x

commented 2 years ago

Researcher

no validation then ?! just turn it on and try to inject this payload <img src=//collectiveaccess.org:81/>. anyways this is an html injection i'm sure ! you can just go and confirm.

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

Yeah I see it. It's not something that is typically left on. It's just to see raw output.

0x9x

commented 2 years ago

Researcher

just confirm that this report is valid , cuz there was an html injection point . best,

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

Ok will do.

CollectiveAccess validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

CollectiveAccess marked this as fixed with commit 84eb9d 2 years ago

CollectiveAccess has been awarded the fix bounty

This vulnerability will not receive a CVE

0x9x

commented 2 years ago

Researcher

Good!

to join this conversation

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 years ago

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

I cannot make the POC work. Please provide additional details.

0x9x

commented 2 years ago

Researcher

Actualy we can call this an HTML injection ( a bypass for xss will take time ) this <img src=//collectiveaccess.org:81/> you can only integrate this ! to get the form .

Anyways you fixed this without any other respond !

Thanks ;)

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

Well we had debugging mode on for bit... which I realized was a bad idea when you are testing these things. So I turned it off again :-)

0x9x

commented 2 years ago

Researcher

no validation then ?! just turn it on and try to inject this payload <img src=//collectiveaccess.org:81/>. anyways this is an html injection i'm sure ! you can just go and confirm.

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

Yeah I see it. It's not something that is typically left on. It's just to see raw output.

0x9x

commented 2 years ago

Researcher

just confirm that this report is valid , cuz there was an html injection point . best,

CollectiveAccess CollectiveAccess

commented 2 years ago

Maintainer

Ok will do.