Cross-site Scripting (XSS) - DOM in emoncms/emoncms

Valid

Reported on

Dec 6th 2021


Description

EmonCMS 10.9.19 has a DOM-XSS vulnerability that is executed when javascript code is injected as imported data.

Proof of Concept

1 - login into the app and browse to the section Feeds > Import Data

2 - add <script>alert(1)</script>,a or 1638807909,<script>alert(2)</script> in the CSV area. Then click on one of the empty field (e.g. tag or name).

3 - The javascript code will be executed.

Impact

This vulnerability is capable of executing arbitrary javascript code within the user session.

Occurences

The time value inserted by the user is inserted in the page unsanitized via html()

$("#import-alert").html("<b>Error:</b> invalid time: "+time).show();

The value value inserted by the user is inserted in the page unsanitized via html()

$("#import-alert").html("<b>Error:</b> invalid value: "+value).show();

We are processing your report and will contact the emoncms team within 24 hours. a month ago
midist0xf modified their report
a month ago
We have contacted a member of the emoncms team and are waiting to hear back a month ago
We have sent a follow up to the emoncms team. We will try again in 7 days. a month ago
Trystan Lea validated this vulnerability a month ago
midist0xf has been awarded the disclosure bounty
The fix bounty is now up for grabs
Trystan Lea confirmed that a fix has been merged on d4665f a month ago
The fix bounty has been dropped
importer.js#L47 has been validated
importer.js#L40 has been validated