We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Stored XSS in Page Title in omeka/omeka-s

Valid

Reported on

Aug 5th 2023

Description

At the latest version, the page title has been escaped and cannot trigger the XSS payload. However, by login to a user with other privileges, I see that It's still not escaped yet.

Proof of Concept

Step 1: Login as Admin, create a page in site1 with the title ">test<img src=x onerror=prompt(1)> and see that the page title has been escaped and cannot trigger the XSS payload. Step 2: User1 with the Author privilege Step 3: Login as User1 and go to view the page of site1 and see that the payload is triggered.

Impact

The attacker can compromise user account

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 2 months ago
We have contacted a member of the omeka/omeka-s team and are waiting to hear back 2 months ago
John Flatness validated this vulnerability a month ago
tuannq2299 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
John Flatness marked this as fixed in 4.0.4 with commit 4482f4 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 28th 2023
John Flatness published this vulnerability 25 days ago
to join this conversation