Cross-site Scripting (XSS) - Reflected in cortezaproject/corteza-server

Valid

Reported on

Feb 11th 2022


Description

The logout function doesn't clean/filter value of "back" parameter before reflecting into html code leading to Reflected XSS vulnerability.

Proof of Concept

Visit URL: https://latest.cortezaproject.org/auth/logout?back=%22%3E%3Cscript%3Ealert(origin)%3C/script%3E%3C%22

Poc: https://drive.google.com/file/d/13LU2PhHgD9_82gSxKwoo3266YdpMxWlD/view?usp=sharing

Impact

Reflected XSS. Attacker can steal user's data or phishing attack.

We are processing your report and will contact the cortezaproject/corteza-server team within 24 hours. 4 months ago
We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 4 months ago
We have sent a follow up to the cortezaproject/corteza-server team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the cortezaproject/corteza-server team. We will try again in 10 days. 3 months ago
Denis Arh validated this vulnerability 3 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh confirmed that a fix has been merged on 8c0a62 3 months ago
The fix bounty has been dropped
handle_logout.go#L25 has been validated
amammad
3 months ago

Nice catch nhiephon 👍

to join this conversation