Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Stored XSS in convert transactions. #2363

Closed
0x2500 opened this issue Aug 2, 2019 · 5 comments
Closed

Multiple Stored XSS in convert transactions. #2363

0x2500 opened this issue Aug 2, 2019 · 5 comments
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).

Comments

@0x2500
Copy link

0x2500 commented Aug 2, 2019

Description
Current version of Firefly III Version 4.7.17.3 is vulnerable to multiple stored XSS due to lack of filtration of user-supplied data in transaction description field and in asset account name. Malicious attacker can create specially crafted request, which contains javascript code in it. Malicious javascript code will be executed when user visit links below.

Steps to reproduce

  1. Add 2 asset accounts with names "<script>alert("XSS in source asset account")</script>",
    "<script>alert("XSS in destination asset account")</script>"
  2. Add new transaction with description "<script>alert("XSS in transaction description")</script>". You can add new deposit or withdrawal or transfer.
  3. Visit
/transactions/convert/deposit/[id of your transaction]
/transactions/convert/withdrawal/[id of your transaction]
/transactions/convert/transfer/[id of your transaction]

See 5 alerts (one description alert, two source account alerts, two destination account alerts).
**POC image
xss_in_transaction
**
Extra info
Tested on Mozilla 60.4.0esr (64-bit)

@JC5 JC5 added bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release). labels Aug 2, 2019
@JC5 JC5 closed this as completed in 427de05 Aug 2, 2019
@JC5
Copy link
Member

JC5 commented Aug 2, 2019

Should be fixed, if you could verify I would be grateful.

@JC5 JC5 reopened this Aug 2, 2019
@0x2500
Copy link
Author

0x2500 commented Aug 2, 2019

I can still reproduce it. Fixed in asset account name, but not in transaction description.
Btw, I'm not @dayn1ne, can you edit version commit?

@JC5
Copy link
Member

JC5 commented Aug 2, 2019

Will do. Sorry for the mixup!

@JC5 JC5 closed this as completed in 15d4d18 Aug 2, 2019
@JC5
Copy link
Member

JC5 commented Aug 2, 2019

Fixed the issues and the credits, if you could confirm?

@JC5 JC5 reopened this Aug 2, 2019
@0x2500
Copy link
Author

0x2500 commented Aug 2, 2019

I can confirm: bug is fixed, credits are OK.

@0x2500 0x2500 closed this as completed Aug 2, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jan 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).
Projects
None yet
Development

No branches or pull requests

2 participants