Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS vulnerability in preview boxes via label and references text #32

Closed
dcianciulli opened this issue Jan 30, 2019 · 2 comments
Closed

Comments

@dcianciulli
Copy link

dcianciulli commented Jan 30, 2019

Overall description

A stored XSS vulnerability in the preview boxes in the configuration panel may allow a malicious user to use both label text and references text to inject arbitrary javascript code (via script tags, event handlers, etc.).
Since the code is stored by the plugin, the attacker may be able to target anyone that open the configuration panel of the plugin.

Steps to reproduce

  1. Create a new document with the plugin enabled;
  2. Either leave selected the current category, or create a new one;
  3. In either the label text box or the references text box (or both if you prefer) insert one of the following codes:
    • <script>alert(1);</script>
    • <img src=x onerror='alert(1)'/>
  4. Press "Save and apply"
  5. Now, when the victim open the configuration panel and select the category of the step 2, a popup will appear. Categories are shown in alphabetical order, so if the chosen one in step 2 is the first to be shown, the victim does not even need to select it to be affected.

Please note that examples proposed are only for demonstration. An attacker may inject arbitrary harmful javascript code.

Resolution

You need to escape any html tag from within the preview box in the configuration panel.

Additional information

Assigned CVE-ID: CVE-2019-7250

@davidrthorn
Copy link
Owner

Fix in progress...

@davidrthorn
Copy link
Owner

Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants