✍️ Description

A malicious actor is able to add a malicious payload as a Family Tree Title, and after click the Family Tree nav button from the My Pages Menu, the XSS payload is executed.

🕵️‍♂️ Proof of Concept

1;Create a new family tree, either when logging in after install for the first time, or through the control panel » Create a Family Tree button. Use the following payload as the Family tree title: <script>alert("This Is An XSS POC");</script>

2; Save the family tree and navigate to the My page menu

3; Click the Family trees menu (in case of only 1 tree), or select the malicious tree from the dropdown.

4; When the "GET /webtrees/index.php?route=%2Fwebtrees%2Ftree%2Ftree1" (in case the malicious tree is tree1) is executed, the XSS payload gets executed, so navigation here is possible with just the link

💥 Impact

The danger of the stored XSS is that malicious actor is able to gather session identifiers from any users (including admin users!) browsing the affected target's tree. Upon receiving this information, the Confidentiality of sessions is compromised. 📍 Location trees.phtml#L44