✍️ Description

A malicious actor is able to add a malicious payload as a new Navigation Bar Link Title, and after every time any users visit the main root page of the website, the XSS payload is executed and the session of whoever visits the site is compromised.

🕵️‍♂️ Proof of Concept

1; Create a new Navigation bar link at the following route: /admin/navbar/add. Use the following payload as the Navigation Link title: <script>alert("This Is An XSS POC");</script>. The icon option can be left empty, the Spell can be Classic or Drop-down menu and the URL can be Page or Custom.

2; Save the new Navigation link, upon saving the XSS payload get executed already.

3; Now, each time any administrative user visits the Navigation admin menu at the /admin/navbar route, the XSS payload gets executed. More seriously, each time any user visits the main page of the website, the XSS payload gets executed.

💥 Impact

The danger of the stored XSS is that a malicious actor is able to gather session identifiers from virtually any user, as well as any other admin user, who happens to browse the main welcome page of the website. The malicious actor can thus impersonate any other user and act as them. Upon receiving this information, the Confidentiality of sessions is compromised.