Cross-site Scripting (XSS) - Stored in nuxsmin/syspass

Valid

Reported on

May 31st 2022

Description

Stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding.

Proof of Concept

1.Access demo website https://demo.syspass.org and login with an account.

2.Create new account, in URL/IP field -> input https://google.com" onclick="alert(document.domain) -> payload will escape from href and title attribute -> Set permission to public for all account

3.Save account -> anyother accounts try to access the URL/IP asssigned to that account -> an alert box will pop up.

Image

Impact

1.Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

2.Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Occurrences

search-rows.inc L107

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

dungtuanha modified the report

2 years ago

dungtuanha modified the report

2 years ago

dungtuanha modified the report

2 years ago

We have contacted a member of the nuxsmin/syspass team and are waiting to hear back 2 years ago

We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. a year ago

A nuxsmin/syspass maintainer has acknowledged this report a year ago

nuxsmin gave praise a year ago

Many thanks for your contribution!!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

nuxsmin modified the Severity from Critical (9) to Medium (4.8) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

nuxsmin validated this vulnerability a year ago

dungtuanha has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

nuxsmin marked this as fixed in v3.2.5 with commit 4da4d0 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

search-rows.inc#L107 has been validated

jhond0e

commented a year ago

Hi, your demo website (demo.syspass.org) is always vulnerable to this issue.

to join this conversation

We are processing your report and will contact the nuxsmin/syspass team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

dungtuanha modified the report

2 years ago

dungtuanha modified the report

2 years ago

dungtuanha modified the report

2 years ago

We have contacted a member of the nuxsmin/syspass team and are waiting to hear back 2 years ago

We have sent a follow up to the nuxsmin/syspass team. We will try again in 7 days. a year ago

A nuxsmin/syspass maintainer has acknowledged this report a year ago

nuxsmin gave praise a year ago

Many thanks for your contribution!!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

nuxsmin modified the Severity from Critical (9) to Medium (4.8) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

nuxsmin validated this vulnerability a year ago

dungtuanha has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

nuxsmin marked this as fixed in v3.2.5 with commit 4da4d0 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

search-rows.inc#L107 has been validated

jhond0e

commented a year ago

Hi, your demo website (demo.syspass.org) is always vulnerable to this issue.

to join this conversation