Cross-site Scripting (XSS) - Stored in leantime/leantime

Valid

Reported on

Nov 24th 2021


Description

I found Stored XSS in the title of the content.

Proof of Concept

Step

1.First of all, build the environment with Docker and create an administrator user.

2.Next, create a new "To -DO" from "Project Dashboard" in the left menu. (/)

3.Next, create an account for the role of "Team Member" from "User Management" in the menu on the right side, and assign it to the project you created earlier. (/users/newUser/)

4.Then log in as a member user created in another secret tab.

5.Then select "Retrospectives" from the menu on the left and click Add More. (/retrospectives/showBoards)

6.Then, embed the following payload in "Description" and save it."/></script><script>alert(3)</script>

POST /retrospectives/retroDialog/ HTTP/1.1
Host: localhost
 ...
canvasId=&box=well&itemId=&description=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E%0D%0A&data=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert(10)%3C%2Fscript%3E%0D%0A&milestoneId=&changeItem=1

7.Finally, when you access "Retrospectives" as an administrator user, a pop-up screen will be displayed.

From the above, it can be confirmed that it is possible to execute Stored XSS embedded by a normal user on the administrator screen.

Summary

-Endpoint: POST /retrospectives/retroDialog/

-Parameters: description

-Test Payload: "/></script><script>alert(3)</script>

Impact

This vulnerability can steal a user's cookie.

And it may be possible to gain unauthorized access to the user's account via the stolen cookie.

We are processing your report and will contact the leantime team within 24 hours. 2 years ago
morioka12 modified the report
2 years ago
We have contacted a member of the leantime team and are waiting to hear back 2 years ago
We have sent a follow up to the leantime team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the leantime team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the leantime team. We will try again in 14 days. 2 years ago
Marcel Folaron validated this vulnerability 2 years ago
scgajge12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron marked this as fixed in 2.1.9 with commit 7cbdbf 2 years ago
Marcel Folaron has been awarded the fix bounty
morioka12
2 years ago

Researcher


@maintainer , I would be glad if you could approve for CVE.

morioka12
a year ago

Researcher


@admin can you pls assign a CVE for this?

Jamie Slome
a year ago

We are happy to assign a CVE once we get the go-ahead from the maintainer. Feel free to ping them on the commit SHA comments section 👍

to join this conversation