Skip to content
This repository has been archived by the owner on Jul 22, 2020. It is now read-only.

Stored Cross Site Scripting in CMS Clipper_1.3.3 #488

Open
prasadlingamaiah opened this issue Jun 10, 2018 · 1 comment
Open

Stored Cross Site Scripting in CMS Clipper_1.3.3 #488

prasadlingamaiah opened this issue Jun 10, 2018 · 1 comment

Comments

@prasadlingamaiah
Copy link

Stored XSS is found in the "Manager Permissions" field in CMS Clipper_1.3.3 version. The Manager Permissions value is obtained from the User Groups, Resource Groups and Users/resource group links. which having adding users list and groups list. it is getting stored and displayed without any sanitation.
Affected URL:
http://127.0.0.1:880/ClipperCMS-clipper_1.3.3/manager/

Steps to POC:

  1. access the URL http://127.0.0.1:880/ClipperCMS-clipper_1.3.3/manager/
  2. Under Security tab, click on Manager Permissions -->>User Groups
    in User Groups parameter try to Create a new Users Group XSS payload
    <img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>'"> and click on submit button
    4.The script is getting executed.
  3. Under Security tab, click on Manager Permissions -->>Resource Groups
    in User Groups parameter try to Create a new Resource Group XSS payload
    <img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>'"> and click on submit button
    6.The script is getting executed.
  4. Users/resource group links submit the XSS payload which we have saved.
    For your reference:

1
2
3
4
5
6
7

Mitigation:
Sanitize HTML Markup with a Library Designed for the Job
Never Insert Untrusted Data Except in Allowed Locations
HTML Escape Before Inserting Untrusted Data into HTML Element Content
Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

@prasadlingamaiah prasadlingamaiah changed the title Stored XSS in Manager Permissions Stored Cross Site Scripting in CMS Clipper_1.3.3 Aug 2, 2019
@prasadlingamaiah
Copy link
Author

any update on this vulnerability

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant