Authenticated HTMLi via theme parameter on /lib/ajax.php in froxlor/froxlor

Valid

Reported on

Dec 30th 2022


Description

The theme parameter is vulnerable to HTMLi on /lib/ajax.php endpoint

Proof of Concept

  • go to https://v2.demo.froxlor.org
  • Login with a user
  • Go to https://v2.demo.froxlor.org/lib/ajax.php?action=newsfeed&theme=%3C/br%3E%3Ch1%3EHTMLi%20by%20leo_rac%3C/h1%3E%3Cbr%3E
  • You'll see the injected payload

image

Impact

In this way it is possible to perform a series of actions ranging from stealing credentials, taking the victim to an arbitrary site, or the possibility of inserting false messages to the victim.

We are processing your report and will contact the froxlor team within 24 hours. 10 days ago
Michael Kaufmann modified the Severity from High (7.1) to Medium (5.3) 10 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability 10 days ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit f2485e 10 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Michael Kaufmann published this vulnerability 10 days ago
to join this conversation