Reflected XSS in fava application in beancount/fava

Valid

Reported on

Jul 22nd 2022


Description

The "query_string" parameter of fava application is vulnerable to reflected XSS for which a attacker can modify any information that the user is able to modify.

Proof of Concept

1.Open the url: https://fava.pythonanywhere.com/example-with-budgets/query/?filter=payee%3A%22Chichipotle%22&query_string=%3Cimg+src%3D1+onerror%3Dalert%28document.location%29%3E

2.Now XSS will popup.

Image

https://drive.google.com/file/d/1N7XGqTg4J5rPdDzFQ4TgEtwE9v2LXDlL/view?usp=sharing

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

+Perform any action within the application that the user can perform.

+View any information that the user is able to view.

+Modify any information that the user is able to modify.

Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet or other message

We are processing your report and will contact the beancount/fava team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the beancount/fava team and are waiting to hear back 2 years ago
beancount/fava maintainer modified the Severity from Critical (9.6) to High (8) 2 years ago
beancount/fava maintainer
2 years ago

Maintainer


Since Fava URLs are dependent on the name of the underlying Beancount journal and the base URLs, which should be private and require a previous attach to be determined by the attacker, I've marked the attack complexity as "high"

beancount/fava maintainer has acknowledged this report 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
beancount/fava maintainer validated this vulnerability 2 years ago
sampritdas8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
beancount/fava maintainer marked this as fixed in 1.22.2 with commit dccfb6 2 years ago
The fix bounty has been dropped
beancount/fava maintainer gave praise 2 years ago
Thank you for the report :)
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
SAMPRIT DAS
2 years ago

Researcher


You are welcome :) @maintainer

SAMPRIT DAS
2 years ago

Researcher


@admin Can you please update the CVE description in nvd/mitre

Jamie Slome
2 years ago

We are currently waiting for MITRE to accept our contribution here. Once they do, the CVE will go live 👍

to join this conversation