Cross-site Scripting (XSS) - Stored in eventum/eventum

Valid

Reported on

Nov 10th 2021


Description

Multiple Stored XSS in Administration at eventum 3.10.8

Proof of Concept

// PoC.payload
"><iMg SrC="x" oNeRRor="alert(1);">

Step to Reproduct

Goto Administration Areas and choose to feature below

Manage News

Input payload into field[Title]

Manage Status

Input payload into field[Title]

Manage Projects

Input payload into field[Title]

Manage Releases

Input payload into field[Title]

Manage Categories

Input payload into field[Title]

Manage Priorities

Input payload into field[Title]

Manage Severities

Input payload into field[Title] and field[Description]

Manage Phone Support Categories

Input payload into field[Title]

Manage Time Tracking Categories

Input payload into field[Title]

Manage Users

Input payload into field[Full Name ]

Manage Groups

Input payload into field[Title] and and field[Description]

Manage Issue Resolutions

Input payload into field[Title]

Manage Canned Email Responses

Input payload into field[Title]

Manage Link Filters

Input payload into field[Description]

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

Recomendation

Add | escape:"html" for the points listed in the Occurrences section since it is possible to prevent triggering the stored xss from the functions listed in the Step to Reproduct section.

Occurences

We are processing your report and will contact the eventum team within 24 hours. 24 days ago
lethanhphuc modified their report
24 days ago
lethanhphuc submitted a
24 days ago
lethanhphuc submitted a
24 days ago
We have contacted a member of the eventum team and are waiting to hear back 23 days ago
lethanhphuc modified their report
22 days ago
We have sent a follow up to the eventum team. We will try again in 7 days. 20 days ago
lethanhphuc modified their report
19 days ago
lethanhphuc modified their report
19 days ago
eventum/eventum maintainer validated this vulnerability 19 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
eventum/eventum maintainer confirmed that a fix has been merged on a4b6fd 19 days ago
lethanhphuc has been awarded the fix bounty
statuses.tpl.html#L169 has been validated
custom_fields.tpl.html#L199 has been validated
anonymous.tpl.html#L64 has been validated
projects.tpl.html#L274 has been validated
view_form.tpl.html#L77-L81 has been validated
adv_search.tpl.html#L375 has been validated
news.tpl.html#L136 has been validated
priorities.tpl.html#L157 has been validated
severities.tpl.html#L127 has been validated
round_robin.tpl.html#L134 has been validated
latest_news.tpl.html#L12 has been validated
list.tpl.html#L113-L114 has been validated
view_form.tpl.html#L117 has been validated
users_form.tpl.html#L152 has been validated
select_project.tpl.html#L43 has been validated
faq.tpl.html#L37 has been validated
custom_fields.tpl.html#L14 has been validated
groups.tpl.html#L157-L168 has been validated
releases.tpl.html#L114 has been validated
new_form.tpl.html#L50 has been validated
resolution.tpl.html#L104 has been validated
column_display.tpl.html#L18 has been validated
time_tracking.tpl.html#L94 has been validated
categories.tpl.html#L93 has been validated
custom_fields.tpl.html#L223 has been validated
time_tracking.tpl.html#L29 has been validated