Cross-site Scripting (XSS) - Stored in collectiveaccess/providence

Valid

Reported on

Sep 24th 2021


Description

stored xss via event name

Proof of Concept

Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1iMDosuZYYmFy_JEVxXo7KB09TghKPs-7/view?usp=sharing
Here i uses bellow xss payload

xss2"'onmouseover=prompt();//

Impact

Stored xss

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 months ago
CollectiveAccess has invalidated this vulnerability 2 months ago

Again, default was to assume trusted data from logged in users, which is typical. We have changed the default to filter all input and made "as-is" input opt-in.

The disclosure bounty has been dropped
The fix bounty has been dropped
CollectiveAccess
2 months ago

Maintainer


See https://huntr.dev/bounties/0a648087-9b16-4cf5-acca-f25eda1329c7/

ranjit-git
2 months ago

Researcher


can you plz also update the https://demo.collectiveaccess.org to latest version ?

CollectiveAccess
2 months ago

Maintainer


Actually I think you did find an issue... can we reopen this?

ranjit-git
2 months ago

Researcher


Admin can open this issue again.
@admin can you plz reopen this report again

CollectiveAccess
2 months ago

Maintainer


https://github.com/collectiveaccess/providence/commit/aba331d0a46b6c911ffbef9e53b7c212c264e51e resolve this. Thank you for raising this issue. Apologies for the premature closing of it.

ranjit-git
2 months ago

Researcher


I asked admin to reopen the report.
After reopen you can mark as valid

CollectiveAccess
2 months ago

Maintainer


Yes will do.

Jamie Slome
2 months ago

Admin


I have reverted the status of the report to pending.

CollectiveAccess confirmed that a fix has been merged on aba331 2 months ago
CollectiveAccess has been awarded the fix bounty