categoly Cross-site Scripting (XSS) - Stored in nuxsmin/syspass

Valid

Reported on

May 21st 2022

Description

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

Create new user,add category and add XSS payload(" onClick="alert(1)")
Search user.
Click Client tab.
xss is executed.

Please check this video. https://drive.google.com/file/d/1PAyU-OunbaP9But9ga60ria-W6G3yfTC/view?usp=sharing

Impact

Every user clicking the menu can be affected by malicious javascript code created by the attacker.

Overall, " characters are not escaped. XSS may occur in other areas.

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the nuxsmin/syspass team and are waiting to hear back a year ago

nuxsmin gave praise a year ago

Hi!, thanks for the notice. It seems that some values aren't being processed for a clean output within HTML tag's attributes. I'm currently working on a fix to be released shortly. Regards

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. a year ago

nuxsmin validated this vulnerability a year ago

Nick has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

nuxsmin marked this as fixed in 3.2.4 with commit 3c026f a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Nick

commented 9 months ago

Researcher

@admin can you pls assign a CVE for this?

Jamie Slome

commented 9 months ago

Admin

Happy to, we just require the go-ahead from the maintainer 👍

Nick

commented 9 months ago

Researcher

@maintainer , I would be glad if you could approve for CVE.

to join this conversation

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the nuxsmin/syspass team and are waiting to hear back a year ago

nuxsmin gave praise a year ago

Hi!, thanks for the notice. It seems that some values aren't being processed for a clean output within HTML tag's attributes. I'm currently working on a fix to be released shortly. Regards

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. a year ago

nuxsmin validated this vulnerability a year ago

Nick has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

nuxsmin marked this as fixed in 3.2.4 with commit 3c026f a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Nick

commented 9 months ago

Researcher

@admin can you pls assign a CVE for this?

Jamie Slome

commented 9 months ago

Admin

Happy to, we just require the go-ahead from the maintainer 👍

Nick

commented 9 months ago

Researcher

@maintainer , I would be glad if you could approve for CVE.

to join this conversation