Description: Stored XSS vulnerability exists in the "Reaction to comment" feature. An attacker with user privilege on kanban board can execute JavaScript code in the browsers of users who open card with malicious reaction.
Impact: An attacker can steal Meteor.loginToken or change page content for phishing.
CVSSv3.1 vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4)
CWE: CWE-79: Improper Neutralization of Input During WebPage Generation ('Cross-site Scripting')
Affected Component: cardCommentReactions.js
Vendor: Open Source kanban board Wekan.
Wekan v5.49 - v6.84
- Add a comment in card:
- Add any reaction on comment and intercept this request in Proxy. Replace the default
reactionCodepoint
value on payload:<img src=1 onerror=alert()>
:
Alexander Starikov (Jet Infosystems, https://jet.su)