Cross-site Scripting (XSS) - Stored in eventum/eventum

Valid

Reported on

Nov 10th 2021

Description

Multiple Stored XSS in Administration at eventum 3.10.8

Proof of Concept

// PoC.payload
"><iMg SrC="x" oNeRRor="alert(1);">

Step to Reproduct

Goto Administration Areas and choose to feature below

Manage News

Input payload into field[Title]

Manage Status

Input payload into field[Title]

Manage Projects

Input payload into field[Title]

Manage Releases

Input payload into field[Title]

Manage Categories

Input payload into field[Title]

Manage Priorities

Input payload into field[Title]

Manage Severities

Input payload into field[Title] and field[Description]

Manage Phone Support Categories

Input payload into field[Title]

Manage Time Tracking Categories

Input payload into field[Title]

Manage Users

Input payload into field[Full Name ]

Manage Groups

Input payload into field[Title] and and field[Description]

Manage Issue Resolutions

Input payload into field[Title]

Manage Canned Email Responses

Input payload into field[Title]

Manage Link Filters

Input payload into field[Description]

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

Recomendation

Add | escape:"html" for the points listed in the Occurrences section since it is possible to prevent triggering the stored xss from the functions listed in the Step to Reproduct section.

Occurrences

We are processing your report and will contact the eventum team within 24 hours. a year ago
lethanhphuc modified the report
a year ago
lethanhphuc submitted a
patch
a year ago
lethanhphuc submitted a
patch
a year ago
We have contacted a member of the eventum team and are waiting to hear back a year ago
lethanhphuc modified the report
a year ago
We have sent a follow up to the eventum team. We will try again in 7 days. a year ago
lethanhphuc modified the report
a year ago
lethanhphuc modified the report
a year ago
eventum/eventum maintainer validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
eventum/eventum maintainer marked this as fixed with commit a4b6fd a year ago
lethanhphuc has been awarded the fix bounty
This vulnerability will not receive a CVE
statuses.tpl.html#L169 has been validated
custom_fields.tpl.html#L199 has been validated
phone_categories.tpl.html#L91 has been validated
anonymous.tpl.html#L64 has been validated
projects.tpl.html#L274 has been validated
view_form.tpl.html#L77-L81 has been validated
adv_search.tpl.html#L375 has been validated
news.tpl.html#L136 has been validated
priorities.tpl.html#L157 has been validated
severities.tpl.html#L127 has been validated
round_robin.tpl.html#L134 has been validated
latest_news.tpl.html#L12 has been validated
list.tpl.html#L113-L114 has been validated
view_form.tpl.html#L117 has been validated
users_form.tpl.html#L152 has been validated
select_project.tpl.html#L43 has been validated
faq.tpl.html#L37 has been validated
custom_fields.tpl.html#L14 has been validated
groups.tpl.html#L157-L168 has been validated
releases.tpl.html#L114 has been validated
new_form.tpl.html#L50 has been validated
email_responses.tpl.html#L118 has been validated
resolution.tpl.html#L104 has been validated
column_display.tpl.html#L18 has been validated
time_tracking.tpl.html#L94 has been validated
users_list.tpl.html#L134-L143 has been validated
categories.tpl.html#L93 has been validated
custom_fields.tpl.html#L223 has been validated
email_accounts.tpl.html#L247 has been validated
time_tracking.tpl.html#L29 has been validated
to join this conversation