Cross-site Scripting (XSS) - Reflected in knadh/listmonk

Valid

Reported on

Apr 30th 2022

Description

The listmonk application is vulnerable to reflected XSS in Partial SQL expression to query subscriber attributes.

Proof of Concept

1.Go to "Subscribers" -> "All subscribers" -> "Advanced"

2.Put this payload: "><img src=1 onerror=alert(document.location)> in the input filed.

3.Now click on Query then XSS will pop-up

Video POC

https://drive.google.com/file/d/1xecT0_PUpZ1Fwlzzm2TJvHBZw_b-eJv8/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the knadh/listmonk team within 24 hours. a year ago

SAMPRIT DAS modified the report

a year ago

SAMPRIT DAS modified the report

a year ago

We have contacted a member of the knadh/listmonk team and are waiting to hear back a year ago

Kailash Nadh modified the Severity from Critical to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Kailash Nadh validated this vulnerability a year ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Kailash Nadh marked this as fixed in v2.1.0 with commit a94f23 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

SAMPRIT DAS

commented a year ago

Researcher

@knadh @admin Can I get CVE for this report?

Jamie Slome

commented a year ago

Admin

It does not appear that the severity of the issue is significant enough to warrant a CVE, as mentioned by the maintainer on GitHub.

to join this conversation

We are processing your report and will contact the knadh/listmonk team within 24 hours. a year ago

SAMPRIT DAS modified the report

a year ago

SAMPRIT DAS modified the report

a year ago

We have contacted a member of the knadh/listmonk team and are waiting to hear back a year ago

Kailash Nadh modified the Severity from Critical to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Kailash Nadh validated this vulnerability a year ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Kailash Nadh marked this as fixed in v2.1.0 with commit a94f23 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

SAMPRIT DAS

commented a year ago

Researcher

@knadh @admin Can I get CVE for this report?

Jamie Slome

commented a year ago

Admin

It does not appear that the severity of the issue is significant enough to warrant a CVE, as mentioned by the maintainer on GitHub.

to join this conversation