Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS on the scheduler projects list #338

Closed
Vulcanun opened this issue Dec 3, 2019 · 4 comments
Closed

Stored XSS on the scheduler projects list #338

Vulcanun opened this issue Dec 3, 2019 · 4 comments
Assignees
Labels

Comments

@Vulcanun
Copy link

Vulcanun commented Dec 3, 2019

Upon a security analysis of the platform, a stored cross site scripting vulnerability was identified on the Web and Infrastructure Scan Scheduler's project dropdown selection.

The payload is present on the project name attribute, but it is only executed upon javascript interaction by the Select2 library utilized on that specific menu. Upon deletion of the archerysec/static/js/select2.min.js file, the vulnerability was not present anymore (as were the library functionalities).

The vulnerability is not present on the python interactions, it is the live search function from select2 that evaluates and (possibly) decodes HTML Entities from the payload.

How To Reproduce
Steps to reproduce the behavior:

  1. Create a project with the name "XSS<img src=x onerror='prompt(1)'>"
  2. Click "Launch Scans" on the left-side menu
  3. Proceed to either "Dynamic Scans" or "Infrastructure Scans"
  4. Click "Scan Schedule"
  5. Click the project dropdown selection

Expected behavior
After reproducing the steps above, a pop up should appear prompting the user with "1"

@anandtiwarics anandtiwarics self-assigned this Dec 3, 2019
@anandtiwarics
Copy link
Collaborator

hey, @Vulcanun thanks for reporting to us. I'm looking at it.

anandtiwarics added a commit that referenced this issue Dec 3, 2019
XSS vulnerability due to older version of select js code. Updated with newer version and completely removed old UI.
@anandtiwarics
Copy link
Collaborator

thanks, @Vulcanun for reporting to us. Please verify from your end.

@Vulcanun
Copy link
Author

Vulcanun commented Dec 3, 2019

Just tested it again and wasn't able to reproduce it.
Congrats on the quick fix @anandtiwarics.

Keep up the great work.

@Vulcanun Vulcanun closed this as completed Dec 3, 2019
@NicoleG25
Copy link

Note that this appears to be assigned with CVE-2019-20008

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants