XSS vulnerabilities in Codiad-2.8.4

[chluo1997]

Hi, I found multiple XSS vulnerabilities in Codiad-2.8.4.

Detail:

1. path: Codiad-2.8.4/components/user/dialog.php
   parameter: ?action=projects&username=<script>alert(1)</script>

2. path: Codiad-2.8.4/components/active/dialog.php
   parameter: action=confirm&path=<script>alert(1)</script>

[HLSiira]

You should check the last two opened issues, they go into major detail about the above XSS vuls in Codiad. Almost every component is vulnerable to it, and most importantly the file manager. IIRC You can name a file to install evil script and then an admin account who looks at the folder will cause all sorts of bad stuff.

Nice catch though, I didn't notice it much when I forked Codiad

[chluo1997]

#1122 reported XSS vulnerability in file controller.php and I report XSS vulnerabilities in two dialog.php. I think they are different things.
I cannot see the contents in #1131 and have no idea of their discovery. Here I post two PoCs to demonstrate the XSS vuls confirmed by me.

[HLSiira]

Yes, if that's what you want to do, but you may as well start opening XSS issues for every single file in Codiad. The method by which Codiad handles sending data is inherently vulnerable, which is what #1122 is demonstrating.

[seongil-wi]

Hello! I already reported this issue via email (dev@codiad.com and ksafranski@gmail.com) in April and got a CVE (CVE-2021-30217).