Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issue - XSS #4888

Closed
bousalman opened this issue Feb 18, 2021 · 3 comments · Fixed by #4971
Closed

Security Issue - XSS #4888

bousalman opened this issue Feb 18, 2021 · 3 comments · Fixed by #4971
Labels

Comments

@bousalman
Copy link

Hi there,

I'm using the latest version of Monica PRM web application 2.19.1, deployed on my local Ubuntu machine. I would like to report to you the existing of Cross Site Scripting Vulnerability in the Contact Page.
The following fields of the Contact object can be used to host a stored XSS ( First name, Middle name, Last name, Nickname & Description ) and will be triggered each time you browse the contact webpage or trying to edit the details.
This happen because of the way that Vue.js do render the webpage and executing the XSS payload in the vulnerable fields.

the payload used in the POC:
{{ constructor.constructor("alert(document.cookie)")() }}

xss

To mitigate this issue different safeguards can be implemented, please refer to this website for more details:
https://github.com/dotboris/vuejs-serverside-template-xss

Regards,

@RMHogervorst
Copy link

Is this related to #4543 ?

@bousalman
Copy link
Author

@RMHogervorst
I am not aware of #4543 before However I can see after reading the the pull request that it's a different Sink.
Although We both use the same Source to host the payloads, the payload I used targets the Vue.js rendering engine and fire the XSS vulnerability on Contact page and also the /Storage endpoint in Settings:

xss2

@github-actions
Copy link

github-actions bot commented May 2, 2022

This issue has been automatically locked since there
has not been any recent activity after it was closed.
Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants