Cross-site Scripting (XSS) - Reflected in beancount/fava

Valid

Reported on

Jun 9th 2022


Description

The time parameter in fava is vulnerable to reflected XSS

Proof of Concept

  1. 1.Open the web browser to access the fava webpage.
  2. 2.Access the url: https://fava.pythonanywhere.com/example-beancount-file/income_statement/?time=%22%3E%3Cbutton+onclick%3Dalert%281%29%3EClICK+ME%3C%2Fbutton%3E Script will be reflected in on clicking the button.
  3. 3.when the victim clicks on the button -> Alert box will pop up

Image

https://drive.google.com/file/d/1PJ_kKyn5KrHbzplApD-rfhuwSbtsCTvS/view?usp=sharing

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

+Perform any action within the application that the user can perform.

+View any information that the user is able to view.

+Modify any information that the user is able to modify.

Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet or other message

We are processing your report and will contact the beancount/fava team within 24 hours. a year ago
saharshtapi modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
saharshtapi
a year ago

Researcher


@admin can you please sent the magic link to the maintainers at this emails mail@jakobschnitzer.de mail@jakobschnitzer.de PS: This email were provided by them in one of the GitHub issues and I has also contacted them via mail and they requested to access the reports without signing up Thanks

Jamie Slome
a year ago

Admin


Sorting this for you now ūüĎć

Jamie Slome
a year ago

Admin


I've dropped a comment on the GitHub Issue here. I do need to get authorised confirmation from the maintainers before sending any e-mails out with magic URLs.

saharshtapi
a year ago

Researcher


Understood. Appreciate it!!

We have opened a pull request with a SECURITY.md for beancount/fava to merge. a year ago
We have contacted a member of the beancount/fava team and are waiting to hear back a year ago
Jamie Slome
a year ago

Admin


E-mail sent ūüĎć

We have sent a follow up to the beancount/fava team. We will try again in 7 days. a year ago
A beancount/fava maintainer has acknowledged this report a year ago
A beancount/fava maintainer modified the Severity from Critical (9.6) to High (8) a year ago
A beancount/fava maintainer modified the Severity from High to Low a year ago
A beancount/fava maintainer
a year ago

Maintainer


Since Fava URLs are dependent on the name of the underlying Beancount journal and the base URLs, which should be private and require a previous attach to be determined by the attacker, I've marked the attack complexity as "high"

A beancount/fava maintainer modified the Severity from Low to High (8.2) a year ago
A beancount/fava maintainer modified the Severity from High (8.2) to High (8) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
A beancount/fava maintainer validated this vulnerability a year ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
A beancount/fava maintainer marked this as fixed in 1.22 with commit ca9e38 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
A beancount/fava maintainer gave praise a year ago
Thank you for the report :)
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation