We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-site Scripting (Stored XSS) in omeka/omeka-s

Valid

Reported on

Aug 2nd 2023

Description

For any role that has permission to execute function assets, i can add a new asset. Even though the site only allows uploading images and gifs, I can still upload an html file by modifying the magic number and that leads to XSS.

Proof of Concept

  1. Link PoC: https://docs.google.com/document/d/1LIADzS1q4rIhbCT_xSXzSdEiH9b6KYdgkSgMazRxB3A/edit?usp=sharing
  2. Link video PoC: https://photos.app.goo.gl/CtUgrWiarz93ULsG6

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 2 months ago
quanghuy25112000 modified the report
2 months ago
We have contacted a member of the omeka/omeka-s team and are waiting to hear back 2 months ago
John Flatness validated this vulnerability 2 months ago
quanghuy25112000 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
John Flatness marked this as fixed in 4.0.3 with commit 2a7fb2 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
John Flatness published this vulnerability 2 months ago
to join this conversation