Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp

Valid

Reported on

Mar 3rd 2022


Description

Please enter a description of the vulnerability.

Proof of Concept

xss in function add domain
POST /add/web
v-custom-doc-domain=<script>alert(1)</script>
https://drive.google.com/file/d/1EeoOX7Pmn5ptuweine4Cgcy1fyd6qEzJ/view?usp=sharing

Impact

We are processing your report and will contact the hestiacp team within 24 hours. 3 months ago
Jaap Marcus validated this vulnerability 3 months ago
huydoppa has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jaap Marcus
3 months ago

Maintainer


@admin please assign a CVE for this issue

Jamie Slome
3 months ago

Admin


CVE assigned (CVE-2022-0838)! 🎊

Jamie Slome
3 months ago

Admin


Please ping me once you are ready to publish the fix and make the report public, and I will publish the CVE to MITRE.

huydoppa
3 months ago

Researcher


https://www.huntr.dev/bounties/8ce4b776-1c53-45ec-bc5f-783077e2d324/ have 10$ for report

Jaap Marcus
3 months ago

Maintainer


Rules have changed and Huntr.dev doesn't pay anything for Medium or Low CSV score on non featured ones ... Due to complains from maintainers. See Huntr.dev discord channel

Jaap Marcus
3 months ago

Maintainer


Bug was present in a javascript function that displays the domain didn't sanitise it...

Jaap Marcus confirmed that a fix has been merged on 640f82 3 months ago
The fix bounty has been dropped
Jamie Slome
3 months ago

Admin


CVE published! 🎉

to join this conversation