XSS Vulnerabilities in Search Functionality and Course Tags in frappe/lms

Valid

Reported on

Sep 12th 2023


Description

  1. XSS via Image Error in Search Box:

    • This vulnerability allows an attacker to execute a Cross-Site Scripting (XSS) attack through the search functionality of the web application. When a user performs a search, the application attempts to display an image related to the search query. However, the attacker can craft a malicious search query that includes JavaScript code. When the image rendering fails and generates an error, the injected JavaScript code is executed in the user's browser, potentially compromising their session or stealing sensitive data.
  2. XSS in Course Tags:

    • In this vulnerability, the web application is susceptible to Cross-Site Scripting (XSS) attacks within the course tags feature. Attackers can exploit this weakness by injecting malicious scripts into course tags or related fields. When other users view or interact with these tags, the injected scripts are executed in their browsers, posing a significant security risk. This can lead to unauthorized access, data theft, or the compromise of user accounts within the application. Proper input validation and output encoding should be implemented to mitigate this threat.

Proof of Concept

<img src="x" onerror="document.write('test')" />
<iframe srcdoc="<script>var secret='secret!'; alert(secret)</script>"></iframe

app/exercise-latest-submission (/lms/www/people/index.js:39)

$(".member-parent").append(data.message.user_details);
Needs to be sanitized or escaped, use the .text() method to convert the string into plain text to escape HTML or use DOMPurify.sanitize().

/courses/new-course/edit (/lms/www/courses/create.js:54)

sanitize user input and escape special characters to ensure that user-provided data is not executed as script code. 
Ie:   const sanitizedInput = $(e.target).val().replace(/</g, '&lt;').replace(/>/g, '&gt;');

Image 1 Image 2 Image 3

Impact

  1. XSS via Image Error in Search Box:

    • Data Theft: Attackers can steal sensitive user data, such as session cookies or login credentials, when unsuspecting users trigger the XSS exploit. This data can be used for identity theft or unauthorized account access.
    • Session Hijacking: The attacker can gain control over user sessions, potentially impersonating legitimate users and performing actions on their behalf without their consent.
    • Malicious Actions: The executed script could perform malicious actions on behalf of the user, such as making unauthorized requests or altering account settings, leading to a loss of data integrity and user trust.
    • Reputation Damage: The discovery of such vulnerabilities can harm the reputation of the affected website or application, leading to a loss of user confidence and credibility.
  2. XSS in Course Tags:

    • Data Exposure: Attackers can exploit this vulnerability to access and extract sensitive data stored within the application, including user profiles, course information, or personal details.
    • Account Compromise: By executing malicious scripts in the context of other users' browsers, the attacker may compromise their accounts, potentially gaining unauthorized access and control over user profiles and course-related data.
    • Content Manipulation: The injected scripts can alter the content and functionality of the course tags, leading to unintended actions or disruptions in the user experience.
    • Reputation Damage: The presence of such vulnerabilities can damage the reputation of the affected educational platform, diminishing user trust and affecting its credibility.

Occurrences

References

We are processing your report and will contact the frappe/lms team within 24 hours. 5 months ago
We have contacted a member of the frappe/lms team and are waiting to hear back 5 months ago
scott lindh
5 months ago

Researcher


@admin How did you reach out via what method ? I can see they are actively pushing to git.

Ben Harvie
5 months ago

Admin


We have reached out via. email.

scott lindh
5 months ago

Researcher


@admin

Hello,

Thanks for reporting this issue.

The issue has been fixed. https://github.com/frappe/lms/pull/622

I had already replied to security@huntr.dev when the fix was made.

Regards,
Jannat Patel.
Ben Harvie validated this vulnerability 5 months ago
scottie has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie marked this as fixed in 5614a6203fb7d438be8e2b1e3030e4528d170ec4 with commit 5614a6 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 5 months ago
create.js#L54 has been validated
Jannat Patel
4 months ago

Maintainer


As mentioned by @scott the issue has been resolved. Thanks Scott for bringing this to my notice.

Jannat Patel gave praise 4 months ago
Thanks Scott for bringing this to my notice.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Ben Harvie
4 months ago

Admin


Hi Jannat, I manually validated the report on your behalf from Scott's provided information. Would you like to assign a CVE to this report and I can do so manually?

Jannat Patel
4 months ago

Maintainer


@Ben can you provide a CVE from your end? If not I'll do it.

Ben Harvie
4 months ago

Admin


CVE assigned as requested:)

scott lindh
4 months ago

Researcher


Thanks kindly !!

to join this conversation