I'm using the latest version of Monica PRM web application 2.19.1, deployed on my local Ubuntu machine. I would like to report to you the existing of Cross Site Scripting Vulnerability in the Contact Page.
The following fields of the Contact object can be used to host a stored XSS ( First name, Middle name, Last name, Nickname & Description ) and will be triggered each time you browse the contact webpage or trying to edit the details.
This happen because of the way that Vue.js do render the webpage and executing the XSS payload in the vulnerable fields.
the payload used in the POC: {{ constructor.constructor("alert(document.cookie)")() }}
@RMHogervorst
I am not aware of #4543 before However I can see after reading the the pull request that it's a different Sink.
Although We both use the same Source to host the payloads, the payload I used targets the Vue.js rendering engine and fire the XSS vulnerability on Contact page and also the /Storage endpoint in Settings:
Hi there,
I'm using the latest version of Monica PRM web application 2.19.1, deployed on my local Ubuntu machine. I would like to report to you the existing of Cross Site Scripting Vulnerability in the Contact Page.
The following fields of the Contact object can be used to host a stored XSS ( First name, Middle name, Last name, Nickname & Description ) and will be triggered each time you browse the contact webpage or trying to edit the details.
This happen because of the way that Vue.js do render the webpage and executing the XSS payload in the vulnerable fields.
the payload used in the POC:
{{ constructor.constructor("alert(document.cookie)")() }}To mitigate this issue different safeguards can be implemented, please refer to this website for more details:
https://github.com/dotboris/vuejs-serverside-template-xss
Regards,
The text was updated successfully, but these errors were encountered: