froxlor

Valid

Reported on

Dec 30th 2022

Description

The theme parameter is vulnerable to HTMLi on /lib/ajax.php endpoint

Proof of Concept

go to https://v2.demo.froxlor.org
Login with a user
Go to https://v2.demo.froxlor.org/lib/ajax.php?action=newsfeed&theme=%3C/br%3E%3Ch1%3EHTMLi%20by%20leo_rac%3C/h1%3E%3Cbr%3E
You'll see the injected payload

Impact

In this way it is possible to perform a series of actions ranging from stealing credentials, taking the victim to an arbitrary site, or the possibility of inserting false messages to the victim.

We are processing your report and will contact the froxlor team within 24 hours. 10 days ago

Michael Kaufmann modified the Severity from High (7.1) to Medium (5.3) 10 days ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Michael Kaufmann validated this vulnerability 10 days ago

leorac has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit f2485e 10 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Michael Kaufmann published this vulnerability 10 days ago

to join this conversation