Stored XSS on entire Client site in fossbilling/fossbilling
Reported on
Jun 15th 2023
Description
Admin or Staff with "System" permission can produce a store XSS on entire Client site
Proof of Concept
Edit the "Signature" field to this value "FOSSBilling.org - Client Management, Invoice and Support Software"><img src=x onerror=alert(document.domain)>"
Then it will trigger in every Client screens
Seems like it was rendered to the footer
Impact
Since the cookie used for sessions was set with the "HTTPonly" attribute, so the attacker can not hijack user sessions but still can carry out some malicious actions by manipulating XSS vulnerabilities, such as:
- Users are being redirected to a malicious website.
- Capturing keystrokes from users.
- Obtaining access to a user’s browsing history and clipboard contents.
- Execution of web browser-based exploits (e.g., crashing the browser).
- Influencing the users to submit requests to a server controlled by the attacker.
- Modifying the page’s content.
- Using deception to trick the victim into disclosing their password to the application or other applications.
- Using a security vulnerability in the web browser, infecting the victim with other malicious code, and potentially taking over the victim’s computer.
Fixed here : https://github.com/FOSSBilling/FOSSBilling/pull/1338
@maintainer I forgot about this one, could you please also assign a CVE for this report?
Thanks!
Sure, It's not receiving a CVE for a two primary reasons: 1: It's just barely a medium severity at 4.3 2: It has to be exploited by somebody who is trusted enough within the company or organization to have permissions within FOSSBilling that would allow them to modify company information such as the phone number, mailing address, email address, or even the terms of service. (This is the primary reason)
While this is a valid vulnerability and has been marked and resolved as such, someone with the permissions required to exploit it could still potentially do significant damage without the XSS vulnerability existing simply as a result of what the system administrator has given them access to.