Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

Valid

Reported on

May 23rd 2022

Description

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

it works on firefox (not in chromium based browsers)
login as admin
go to https://www.rosariosis.org/demonstration/Modules.php?modname=Resources/Resources.php
create link with decimal encoding with padded zeros payload
&#0000106avascript:alert(1)
click the link
observe the pop up

Impact

Every user clicking the link can be affected by malicious javascript code created by the attacker.

Occurrences

Resources.php L5-L58

References

https://owasp.org/www-community/attacks/xss/

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago

François Jacquet validated this vulnerability a year ago

intrapus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

François Jacquet marked this as fixed in 9.0 with commit d9f809 a year ago

François Jacquet has been awarded the fix bounty

This vulnerability will not receive a CVE

Resources.php#L5-L58 has been validated

to join this conversation