Bypass filter - Stored XSS in Resources in francoisjacquet/rosariosis

Valid

Reported on

Jun 7th 2022

Description

Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of concept

javaSCRIPT:alert(origin)

Steps to reproduce [it works on Firefox (not in chromium based browsers)]

1.Go to https://www.rosariosis.org/demonstration/ and login with administrator account

  1. Go to https://www.rosariosis.org/demonstration/Modules.php?modname=Resources/Resources.php

3.Create new link with content javaSCRIPT:alert(origin)

4.Click the link and observe a pop up

Image POC

https://drive.google.com/file/d/164Sk7viMV4gHvrmDykJZ9euivfoHlN-1/view?usp=sharing

https://drive.google.com/file/d/1-v6coqFoi0fQxjyak61XlH6GEFLiN2x7/view?usp=sharing

Video POC

https://drive.google.com/file/d/1JGwM0_WBShHRWnAc9l-9zY26ayZF3rSW/view?usp=sharing

Impact

User clicking the link can be affected by malicious javascript code created by the attacker.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
Domiee13 modified the report
a year ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
François Jacquet validated this vulnerability a year ago
Domiee13 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0.1 with commit 6e213b a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
Domiee13
a year ago

Researcher

@admin can we assign a CVE to this vulnerability?

Jamie Slome
a year ago

Admin

Sorted 👍

to join this conversation