Latest version of snorby is vulnerable to cross-site scripting attack.
Proof-of-Concept
These are the steps to reproduce the bug:
1) Start Snorby in production-mode and log in the web UI.
2) Go to the 'Search' page and enter the payload:
'<img src=x onerror=alert(document.cookie)>' in the input 'Enter search value''.
3) Now click to the 'More Options' and click again to 'Save current search'.
4) Back to the 'Search' page and edit your previously added search, and as you can see the payload has triggered before rendering the customized search content.
Mitigation
I think you could use the 'sanitize' method like for the first XSS to sanitize the titles in search page.
The vulnerable file: app/views/saved_searches/view.html.erb
$('#title-header').replaceWith('<div class="edit edit-search-title" id="title-header">'+sanitize data.title+'</div><span class="sub-title">(click to edit)</span>');
Latest version of snorby is vulnerable to cross-site scripting attack.
Proof-of-Concept
These are the steps to reproduce the bug:
1) Start Snorby in production-mode and log in the web UI. 2) Go to the 'Search' page and enter the payload: '<img src=x onerror=alert(document.cookie)>' in the input 'Enter search value''. 3) Now click to the 'More Options' and click again to 'Save current search'. 4) Back to the 'Search' page and edit your previously added search, and as you can see the payload has triggered before rendering the customized search content.
Mitigation
I think you could use the 'sanitize' method like for the first XSS to sanitize the titles in search page. The vulnerable file: app/views/saved_searches/view.html.erb
$('#title-header').replaceWith('<div class="edit edit-search-title" id="title-header">'+sanitize data.title+'</div><span class="sub-title">(click to edit)</span>');This is a demonstartion screenshot: