Stored Cross Site Scripting (Network Maps Editor functionality) in pandorafms/pandorafms

Valid

Reported on

Oct 26th 2022


Description

Hello Team,

Hope you are doing well.

I have found a stored cross-site scripting vulnerability in the network maps edit functionality.

What is stored cross site scripting attack?

Stored XSS, occurs when user supplied input is stored and then rendered within a web page. Typical entry points for stored XSS are: message forums, blog comments, user profiles and username fields. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload. The victim visits the page and the payload is executed client side by the victims web browser.

Steps:

Proof of Concept

  • As a low privilege user (manager in this case), create a network map containing name as xss payload given below.
  • Once created, admin user must click on the edit network maps
  • XSS payload will be executed, which could be used for stealing admin users cookie value.

POC Link: https://drive.google.com/drive/folders/1l_jvDKS3DvWKICwCMw1P0ntSyaTlIcCX?usp=sharing

Payload used: "><img src=x onerror=alert(document.cookie)>

Impact

  • Perform any action within the application that the user can perform.
  • View any information that the user is able to view.
  • Modify any information that the user is able to modify.
  • Session hijacking as the JavaScript code can easily access session cookie since the httponly flag is set to false.

Mitigation:

  • Implement security headers such as X-XSS-Protection,CSP for added layer of protection.
  • Proper input validation and sanitization should be performed.
  • Proper output encoding should be performed.
We are processing your report and will contact the pandorafms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Gaurish
a year ago

Researcher


I have added video POC in the shared folder link. Please check & let me know in case of any query.

We have contacted a member of the pandorafms team and are waiting to hear back a year ago
We have sent a follow up to the pandorafms team. We will try again in 4 days. a year ago
pandorafms/pandorafms maintainer modified the Severity from High (8.3) to Medium (6.4) a year ago
pandorafms/pandorafms maintainer
a year ago

Maintainer


Reserved CVE-2022-43980. This issue will be fixed in v766.

pandorafms/pandorafms maintainer has acknowledged this report a year ago
Gaurish
a year ago

Researcher


Hi @admin,

Could you please tell me why the severity is changed from High to medium. I am able to steal admin user cookies and can perform admin users account takeover.

Pavlos
a year ago

Admin


Hi Garish, it's the maintainer's assessment...

Gaurish
a year ago

Researcher


Hi all, any update on this?

Gaurish
a year ago

Researcher


By when this issue will be closed, @admin?

Ben Harvie
a year ago

Admin


This is in the hands of the maintainer, admins are unable to take actions on reports without the maintainer's consent. Thanks:)

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
pandorafms/pandorafms maintainer validated this vulnerability a year ago
argonx21 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Gaurish
a year ago

Researcher


Thank you for the update... Let me know one the reserved cve CVE-2022-43980 is published.

Gaurish
a year ago

Researcher


Hi Team, This issue is fixed. Also, the cve reserved for this bug is published.

@admin please check and close this issue.

pandorafms/pandorafms maintainer
a year ago

Maintainer


Published https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43980

pandorafms/pandorafms maintainer marked this as fixed in v766 with commit ccc278 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation