Cross-site Scripting (XSS) - Stored in fisharebest/webtrees

Valid

Reported on

Sep 12th 2021


โœ๏ธ Description

A malicious actor is able to add a malicious payload as a Family Tree Title, and after click the Family Tree nav button from the My Pages Menu, the XSS payload is executed.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Proof of Concept

1;Create a new family tree, either when logging in after install for the first time, or through the control panel ยป Create a Family Tree button. Use the following payload as the Family tree title: <script>alert("This Is An XSS POC");</script>

2; Save the family tree and navigate to the My page menu

3; Click the Family trees menu (in case of only 1 tree), or select the malicious tree from the dropdown.

4; When the "GET /webtrees/index.php?route=%2Fwebtrees%2Ftree%2Ftree1" (in case the malicious tree is tree1) is executed, the XSS payload gets executed, so navigation here is possible with just the link

๐Ÿ’ฅ Impact

The danger of the stored XSS is that malicious actor is able to gather session identifiers from any users (including admin users!) browsing the affected target's tree. Upon receiving this information, the Confidentiality of sessions is compromised. ๐Ÿ“ Location trees.phtml#L44

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 11 days ago
PHoward modified their report
11 days ago
Greg Roach validated this vulnerability 8 days ago
PHoward has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on a743d8 8 days ago
Greg Roach has been awarded the fix bounty