Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

Valid

Reported on

Apr 23rd 2022

Description

Stored XSS found due to long name summarize

Proof of Concept

1.First, access the latest version of the demo environment. https://www.rosariosis.org/demonstration/index.php

2.Then log in with your teacher account (teacher/teacher)

3.After logging in, access to add an assignment.

4.Then enter the assignment's name with a payload contain more than 37 letter such as 12345678" onmouseover="alert(origin) -> a span tag will show up at student / parent view when they access assignment lists that i can escape from title attribute

5.Finally, save the assignment.

6.Log in from here with your student's or parent's account

7.After logging in, access page that can see the list of assignment https://www.rosariosis.org/demonstration/Modules.php?modname=misc/Portal.php

-> An alert box will show up when student try to open that assignment.

image

Impact

This vulnerability can be arbitrarily executed javascript code, steal user'cookie, etc...

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago
François
2 years ago

Maintainer

Hello @dungtuanha

Thank you for reporting the issue. Version 9.0 will escape HTML attributes program wide, so hopefully it is not found anywhere else.

François Jacquet validated this vulnerability 2 years ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 8.9.5 with commit be5bf1 2 years ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation