Cross-site Scripting (XSS) - Stored in mineweb/minewebcms

Valid

Reported on

Sep 14th 2021


Description

A malicious actor is able to add a malicious payload as a new Page Title, and after every time any administrative user visits the /admin/pages route, the XSS payload is executed.

Proof of Concept

1;Create a new Page at the following route: /admin/pages/add. Use the following payload as the Page title: <script>alert("This Is An XSS POC");</script>, save with arbitrary url and content.

2; Save the new Page, upon saving the XSS payload get executed already.

3; Now, each time any administrative user visits the Pages admin menu at the /admin/pages route, the XSS payload gets executed.

Impact

The danger of the stored XSS is that malicious actor is able to gather session identifiers from any other admin user, who happens to browse the pages menu. The malicious actor can thus impersonate any other admin and act as them. Upon receiving this information, the Confidentiality of sessions is compromised.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 8 months ago
nivcoo validated this vulnerability 4 months ago
PHoward has been awarded the disclosure bounty
The fix bounty is now up for grabs
nivcoo confirmed that a fix has been merged on e45797 4 months ago
nivcoo has been awarded the fix bounty
to join this conversation