Cross-site Scripting (XSS) - Stored in tsolucio/corebos
Nov 28th 2021
coreBOS is vulnerable to Stored XSS via Entity Name in User Preferences.
Steps to reproduce
1.After login, click on the avatar icon on the top right corner to go to My Preferences
2.Click Edit button
3.In Last Name field, input payload
<SvG/onLoad=confirm(document.cookie)> then click Save button
4.Now you will see that the payload has been filtered in the Last Name field. However, it is displayed in the Entity Name field.
5.To trigger XSS, click on the Entity Name field then click Save button under that field.
6.Reload the page or go to the homepage, you will see the XSS is triggered.
Proof of Concept
You can check my Poc here: PoC
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.