Cross-site Scripting (XSS) - DOM in mineweb/minewebcms


Reported on

Sep 14th 2021

✍️ Description

A malicious actor is able to add a malicious payload as a new Navigation Bar Link Title, and after every time any users visit the main root page of the website, the XSS payload is executed and the session of whoever visits the site is compromised.

🕵️‍♂️ Proof of Concept

1; Create a new Navigation bar link at the following route: /admin/navbar/add. Use the following payload as the Navigation Link title: <script>alert("This Is An XSS POC");</script>. The icon option can be left empty, the Spell can be Classic or Drop-down menu and the URL can be Page or Custom.

2; Save the new Navigation link, upon saving the XSS payload get executed already.

3; Now, each time any administrative user visits the Navigation admin menu at the /admin/navbar route, the XSS payload gets executed. More seriously, each time any user visits the main page of the website, the XSS payload gets executed.

💥 Impact

The danger of the stored XSS is that a malicious actor is able to gather session identifiers from virtually any user, as well as any other admin user, who happens to browse the main welcome page of the website. The malicious actor can thus impersonate any other user and act as them. Upon receiving this information, the Confidentiality of sessions is compromised.

nivcoo validated this vulnerability 2 years ago
PHoward has been awarded the disclosure bounty
The fix bounty is now up for grabs
nivcoo marked this as fixed in 1.15.1 with commit e45797 2 years ago
nivcoo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation