Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / ReactionBleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
CVE-2023-31779 ReactionBleed

2023-02-28 12.36 EET Alexander Starikov at Jet Infosystems

Did send detailed report and fix!

Timeline Details
2023-02-28 12.36 EET Report received.

I found XSS vulnerability in “reaction on comment” functionality. An attacker with user privilege on board can insert JavaScript code instead of reaction.
Name: Alexander Starikov at Jet Infosystems (https://jetinfosystems.com/)
Twitter: @alexstar_46
Bug type: Stored XSS
Severity: Medium
CVSS (optional): AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4)
CWSS (optional): CWE-79: Improper Neutralization of Input During WebPage Generation ('Cross-site Scripting')

Tested on:
- Self-hosted Wekan, latest version - v6.76 (last commit:8a0899a819cef5a2c779edbe16a3edddb7450d84)
- Firefox verison 110.0

Steps to reproduce (screenshots in the attachment):
1) Add a comment in card:
2) Add any reaction on comment and intercept this request in Proxy (I use Burp Suite).
Replace the default “reactionCodepoint” value on payload: <img src=1 onerror=alert()>:

Impact: An attacker can execute JavaScript code in the browsers of users who open card with “malicious reaction”. For example, attacker can steal Meteor.loginToken or change page content for phishing.

If you have any questions I will be happy to answer them.
2023-04-03 17.36 EET WeKan Support had some trouble reproducing bug and creating fix, so WeKan Support asked could Alexander try to fix it and send patch?
2023-04-10 14.47 EET Alexander sent patch that has fix.

Back to Hall of Fame Contents Back to Wekan Website