Application-Wide Stored Cross Site Scripting affecting all Users in pandorafms/pandorafms

Valid

Reported on

Nov 3rd 2022

Description

Hi Team,

I have found a stored cross-site scripting vulnerability in the reporting dashboard module.

What is stored cross site scripting attack?

Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums, blog comments, user profiles and username fields. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload. The victim visits the page and the payload is executed client side by the victims web browser.

Steps to reproduce:

Summary:

Create 2 more users apart from admin user. In this scenario

  • User1: dev - Group coordinator / Web Group
  • User2: lol - Operator (Write) / Web
Payload Used:  '"><script>alert("Stored XSS !");alert(document.domain);</script>

1 . Login as User2: lol , go to reporting > dashboard & click on new dashboard button.
2 . Create a new dashboard, select group as "web" , toggle on Favourite tab , click on ok button & intercept the request.
3 . Add above payload in the name parameter & forward the request. Now refresh web page & observe the payload execution.
4 . Next step is to login as dev user & observe the payload execution.
5 . Now login as admin & observe the payload execution (Admin user is also affected with this attack as admin belongs to all the groups by default).

Note:

This attack scenario does not require user interaction for the payload execution.

Video POC:

https://drive.google.com/file/d/1Z2FRH08C3VK4FePtJ8d8VpuPqcFvcgtJ/view?usp=sharing

Impact

  • Perform any action within the application that the user can perform.
  • View any information that the user is able to view.
  • Modify any information that the user is able to modify.
  • Session hijacking as the JavaScript code can easily access session cookie since the httpOnly flag is set to false.

Mitigation:

  • Implement security headers such as X-XSS-Protection, CSP for added layer of protection.
  • Proper input validation and sanitization should be performed.
  • Proper output encoding should be performed.
We are processing your report and will contact the pandorafms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
damodarnaik modified the report
a year ago
damodarnaik modified the report
a year ago
damodarnaik
a year ago

Researcher

Hi Team, This issue was found by me & argonx21 in collaboration.

We have contacted a member of the pandorafms team and are waiting to hear back a year ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. a year ago
pandorafms/pandorafms maintainer has acknowledged this report a year ago
pandorafms/pandorafms maintainer
a year ago

Maintainer

Fixed in v766 --> CVE-2022-45437

pandorafms/pandorafms maintainer validated this vulnerability 10 months ago
damodarnaik has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pandorafms/pandorafms maintainer marked this as fixed in v766 with commit 75fe9d 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
dashboard.php#L1-L83 has been validated
pandorafms/pandorafms maintainer published this vulnerability 10 months ago
to join this conversation