Stored Cross Site Scripting (Network Maps Editor functionality) in pandorafms/pandorafms
Oct 26th 2022
Hope you are doing well.
I have found a stored cross-site scripting vulnerability in the network maps edit functionality.
What is stored cross site scripting attack?
Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums, blog comments, user profiles and username fields. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload. The victim visits the page and the payload is executed client side by the victims web browser.
Proof of Concept
- As a low privilege user (manager in this case), create a network map containing name as xss payload given below.
- Once created, admin user must click on the edit network maps
- XSS payload will be executed, which could be used for stealing admin users cookie value.
POC Link: https://drive.google.com/drive/folders/1l_jvDKS3DvWKICwCMw1P0ntSyaTlIcCX?usp=sharing
Payload used: "><img src=x onerror=alert(document.cookie)>
- Perform any action within the application that the user can perform.
- View any information that the user is able to view.
- Modify any information that the user is able to modify.
- Implement security headers such as X-XSS-Protection,CSP for added layer of protection.
- Proper input validation and sanitization should be performed.
- Proper output encoding should be performed.
I have added video POC in the shared folder link. Please check & let me know in case of any query.
Reserved CVE-2022-43980. This issue will be fixed in v766.
Could you please tell me why the severity is changed from High to medium. I am able to steal admin user cookies and can perform admin users account takeover.
Hi Garish, it's the maintainer's assessment...
Hi all, any update on this?
By when this issue will be closed, @admin?
This is in the hands of the maintainer, admins are unable to take actions on reports without the maintainer's consent. Thanks:)
Thank you for the update... Let me know one the reserved cve CVE-2022-43980 is published.
Hi Team, This issue is fixed. Also, the cve reserved for this bug is published.
@admin please check and close this issue.