New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS in "Update Status" section under "OrangeBuzz" via the GET/POST parameters createPost[linkTitle] and createPost[linkAddress]
#1217
Comments
|
Hi @cooliscool |
|
I appreciate your quick response @samanthajayasinghe This is a mistake from my side. I apologize. I saw all the security reports that were being resolved recently on GitHub issues and thought you'd prefer reporting that way. I shall send you a mail about this. |
|
@samanthajayasinghe the ID ossecurity@orangehrm.com doesn't accept my mails. Please refer the screenshot |
|
@cooliscool [ajmalmoochi@protonmail.com]Is this your personal or official email address...The email address seems to be marked as spam by many other public servers. |
|
@kavithagurusamy , Its my personal mail address( Protonmail) I'm not sure exactly why it's being tagged as spam. |
|
It still seems blocked. @kavithagurusamy would it be possible for you to white-list mails from my address? |
|
@kavithagurusamy @samanthajayasinghe |
|
@samanthajayasinghe |
|
Hi @cooliscool, |

Environment details
OrangeHRM version: 4.10.1
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
Insufficient input validation in Buzz -
addNewPostAPI results in Stored Cross Site Scripting attack. An attacker - who is an authenticated user - can craft a malicious request causing malicious Javascript to execute in the browser of any other user. The malicious Javascript can trigger when a victim user visits the Buzz page.To Reproduce
createPost__csrf_token. Example :_orangehrmExpected behavior
The value of parameters
createPost[linkTitle]andcreatePost[linkAddress]should be validated by API and an error should be thrown.What do you see instead:
The malicious payload gets submitted successfully and get's stored in the posting made by the user.
Screenshots
Technical Details
A logged in user can post status updates to their buzz feed. From the front-end application a user will be able to post a text within a single field which says "What's on your mind" to the buzz feed. This happens via a POST request to the URL
/symfony/web/index.php/buzz/addNewPostthrough thecreatePost[content]request body parameter. While investigating this API, we found that there are extra parameter fields in the body of this API which is not directly exposed through the frontend application.The following request body parameters found in the API results certain profound effects in the HTML response sent by server:
createPost[linkAddress]Causes the addition of an
<a>anchor tag in response with idlinkTitle& with attributesrcwith the value set forcreatePost[linkAddress]parameter.createPost[linkTitle]Causes an
<a>anchor tag in response with idlinkTitlewhich is click able and displayed with the text content sent in the above request parameter.Combining the above 2 parameters, it's possible to get an anchor HTML tag with a visible clickable text and a desired URL as src which is clickable.
The URL payload could be javascript as
javascript:alert(121). This can result in execution of arbitrary malicious javascript code on the client side if the victim clicks on this link.The impact of this can be severe since this particular code gets stored in the database and gets delivered to the feed of every logged-in user in orangeHRM. Every user will have this delivered through their 'Buzz' feed.
In terms of impact, this vulnerability enables an attacker to stealing CSRF token and perform arbitrary actions on the website on behalf of the victim user.
The text was updated successfully, but these errors were encountered: