| 2023-02-28 12.36 EET |
Report received.
Hello,
I found XSS vulnerability in “reaction on comment” functionality. An attacker with user privilege on board can insert JavaScript code instead of reaction.
Name: Alexander Starikov at Jet Infosystems (https://jetinfosystems.com/)
Twitter: @alexstar_46
Bug type: Stored XSS
Severity: Medium
CVSS (optional): AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4)
CWSS (optional): CWE-79: Improper Neutralization of Input During WebPage Generation ('Cross-site Scripting')
Tested on:
- Self-hosted Wekan, latest version - v6.76 (last commit:8a0899a819cef5a2c779edbe16a3edddb7450d84)
- Firefox verison 110.0
Steps to reproduce (screenshots in the attachment):
1) Add a comment in card:
2) Add any reaction on comment and intercept this request in Proxy (I use Burp Suite).
Replace the default “reactionCodepoint” value on payload: <img src=1 onerror=alert()>:
Impact: An attacker can execute JavaScript code in the browsers of users who open card with “malicious reaction”. For example, attacker can steal Meteor.loginToken or change page content for phishing.
If you have any questions I will be happy to answer them.
|
