Cross-site Scripting (XSS) - Stored in fisharebest/webtrees


Reported on

Sep 12th 2021

โœ๏ธ Description

A malicious actor is able to add a malicious payload as a Family Tree Title, and after click the Family Tree nav button from the My Pages Menu, the XSS payload is executed.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Proof of Concept

1;Create a new family tree, either when logging in after install for the first time, or through the control panel ยป Create a Family Tree button. Use the following payload as the Family tree title: <script>alert("This Is An XSS POC");</script>

2; Save the family tree and navigate to the My page menu

3; Click the Family trees menu (in case of only 1 tree), or select the malicious tree from the dropdown.

4; When the "GET /webtrees/index.php?route=%2Fwebtrees%2Ftree%2Ftree1" (in case the malicious tree is tree1) is executed, the XSS payload gets executed, so navigation here is possible with just the link

๐Ÿ’ฅ Impact

The danger of the stored XSS is that malicious actor is able to gather session identifiers from any users (including admin users!) browsing the affected target's tree. Upon receiving this information, the Confidentiality of sessions is compromised. ๐Ÿ“ Location trees.phtml#L44

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 years ago
PHoward modified the report
2 years ago
Greg Roach validated this vulnerability 2 years ago
PHoward has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach marked this as fixed with commit a743d8 2 years ago
Greg Roach has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation