Stored XSS in module named "Create Issues" in pkp/ojs

Valid

Reported on

Sep 1st 2023


Description

I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible.

Proof of Concept

link video Poc https://drive.google.com/file/d/1CEEFO0ukhjug6dNRfb-vdQNuBUyezoJp/view?usp=sharing

Steps

1 .Login as account demo

2 .Access the module issues

3 .Then create an issue

4 .Pass the payload into the Tittle field

Payload

      test"><script>alert(document.cookie)</script>

5 .After creating issues , click on the newly created issues, the payload will be executed

Impact

Stored XSS (Cross-Site Scripting) is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts (usually in the form of HTML or JavaScript) into a website's database or storage, which is then fetched and displayed to unsuspecting users. These scripts are executed in the browsers of those who visit the infected page, enabling the attacker to steal sensitive information, such as login credentials or personal data, and potentially take control of the user's account or perform malicious actions on their behalf. To prevent stored XSS, developers must implement proper input validation and output encoding to ensure that user-supplied data is treated as plain text and not executed as code on the web page.

We are processing your report and will contact the pkp/ojs team within 24 hours. 6 months ago
We have contacted a member of the pkp/ojs team and are waiting to hear back 6 months ago
Trunggg02
5 months ago

Researcher


@admin Is there any feedback from the developer?

Alec Smecher modified the Severity from High (8.4) to Low (3.5) 5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 5 months ago
trunggg02 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher
5 months ago

Maintainer


@admin, I have fixed the issue, but it is in a different repo (https://github.com/pkp/ojs) than this report is filed. Therefore I can't enter the commit hash for the fix. Is there a way to resolve this?

Trunggg02
5 months ago

Researcher


@Alec Smecher Hi, on what basis can you judge the level as low?? . Stored XSS is a quite serious vulnerability, attackers can capture users' cookies and take over their accounts. Can you review these reports??

Trunggg02
5 months ago

Researcher


@Alec Smecher You can see the reports that have been published on hunterdev, there is no Stored XSS report with a Low rating.

Alec Smecher
5 months ago

Maintainer


@Trunggg02, I am going by the CVSS guide. Beyond that, in order to create an issue a user must already have a high level of privileges, including tools that can be intentionally used elsewhere to add arbitrary Javascript to the site. Thus it is an issue of missing XSS escaping, but does not represent a privilege escalation.

Trunggg02
5 months ago

Researcher


@Alec Smecher You may have recorded the wrong score according to the CVSS. In some cases, if the administrator account is taken over by an attacker, they can XSS to take over other accounts, the lowest level of danger is also medium. Can you reconsider??

Alec Smecher
5 months ago

Maintainer


Bump to @admin:

I have fixed the issue, but the commit is in a different repo (https://github.com/pkp/ojs) than this report is filed. Therefore I can't enter the commit hash for the fix. Is there a way to resolve this?

Ben Harvie
5 months ago

Admin


I have updated the repository referenced on the report, you should now be able to add the relative commit SHA at this fix stage. Thanks!

Alec Smecher marked this as fixed in 3.3.0-16 with commit 66927d 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation