Cross-site Scripting (XSS) - DOM in emoncms/emoncms

Valid

Reported on

Dec 6th 2021

Description

EmonCMS 10.9.19 has a DOM-XSS vulnerability that is executed when javascript code is injected as imported data.

Proof of Concept

1 - login into the app and browse to the section Feeds > Import Data

2 - add <script>alert(1)</script>,a or 1638807909,<script>alert(2)</script> in the CSV area. Then click on one of the empty field (e.g. tag or name).

3 - The javascript code will be executed.

Impact

This vulnerability is capable of executing arbitrary javascript code within the user session.

Occurrences

The time value inserted by the user is inserted in the page unsanitized via html()

$("#import-alert").html("<b>Error:</b> invalid time: "+time).show();

The value value inserted by the user is inserted in the page unsanitized via html()

$("#import-alert").html("<b>Error:</b> invalid value: "+value).show();

We are processing your report and will contact the emoncms team within 24 hours. 2 years ago
midist0xf modified the report
2 years ago
We have contacted a member of the emoncms team and are waiting to hear back 2 years ago
We have sent a follow up to the emoncms team. We will try again in 7 days. 2 years ago
Trystan Lea validated this vulnerability 2 years ago
midist0xf has been awarded the disclosure bounty
The fix bounty is now up for grabs
Trystan Lea marked this as fixed in 10.9.22 with commit d4665f 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
importer.js#L47 has been validated
importer.js#L40 has been validated
midist0xf
2 years ago

Researcher

Hi Trystan is it ok for you if huntr starts the process to request a CVE related to this vulnerability? Thanks

to join this conversation