Cross-site Scripting (XSS) - Stored in apostrophecms/apostrophe

Valid

Reported on

Jul 29th 2021

✍️ Description :

An attacker could upload a specially crafted SVG image containing malicious scripting code. When following a link to this image, the code would be executed.

🕵️‍♂️ Proof of Concept :

// PoC.js

var payload = ...
Link POC using Demo --> https://demo-ckrp2ycbk01etdvxw1myanric.apostrophecmsdemo.org/uploads/ckrp2ycbk01etdvxw1myanric/attachments/ckrp2ze0p01eydvxw81sbtqk4-xss-xml-svg-font-example-poc.svg

💥 Impact :

\.. This vulnerability is capable of... steal user session , takeover user account , make redirect user to attacker controlled site ...//

We have contacted a member of the apostrophecms/apostrophe team and are waiting to hear back 2 years ago

0x9x modified the report

2 years ago

commented 2 years ago

Maintainer

Thank you for the report. We are evaluating options to address this internally. I'm not able to see the report details anymore, though. Please include me (GitHub user abea), Tom (boutell), and Alex (agilbert) on the report as maintainers. You can see us all on the core team here: https://github.com/orgs/apostrophecms/people

commented 2 years ago

Admin

@abea - thanks for getting in touch. I will get this sorted for you ASAP!

commented 2 years ago

Admin

@abea - this has now been sorted for you <3

commented 2 years ago

Maintainer

Thank you, Jamie

Alex Bea validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

Thank you for validating the issue . Best,

commented 2 years ago

Researcher

Thanks for confirming the issue. Best,

Tom Boutell marked this as fixed with commit c8b94e 2 years ago

Tom Boutell has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the apostrophecms/apostrophe team and are waiting to hear back 2 years ago

0x9x modified the report

2 years ago

commented 2 years ago

Maintainer

Thank you for the report. We are evaluating options to address this internally. I'm not able to see the report details anymore, though. Please include me (GitHub user abea), Tom (boutell), and Alex (agilbert) on the report as maintainers. You can see us all on the core team here: https://github.com/orgs/apostrophecms/people

commented 2 years ago

Admin

@abea - thanks for getting in touch. I will get this sorted for you ASAP!

commented 2 years ago

Admin

@abea - this has now been sorted for you <3

commented 2 years ago

Maintainer

Thank you, Jamie

Alex Bea validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Researcher

Thank you for validating the issue . Best,

commented 2 years ago

Researcher

Thanks for confirming the issue. Best,

Tom Boutell marked this as fixed with commit c8b94e 2 years ago

Tom Boutell has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation