search

bbalet / jorani

Leave and Overtime Management System
http://jorani.org/
GNU Affero General Public License v3.0
389 stars 276 forks source link

There may be XSS hidden dangers here #379

Closed RacerZ-fighting closed 1 year ago

RacerZ-fighting commented 1 year ago

Github issue tracker is used for bug only. For general questions and requests, please join the Google group

Don't hesitate to provide screenshots.

What is the version of Jorani?

v1.0

Expected behavior

Acronym is just a normal form parameter, but if I modify the length of that column in database, I can input a longer XSS payload image

image

Actual behavior

And when next time I look at the page, a XSS vulnerability is pop out. image

Steps to reproduce the behavior

Details can be seen in the following docx. jorani.docx

bbalet commented 1 year ago

This "attack" is very unlikely to happen. you need to access the db and then edit db column, but who would edit the lenght of acronym ??? And then you need to have admin privileges to exploit it

I will add a limit but no panic :)

RacerZ-fighting commented 1 year ago

Jorani?

Thanks! I found it exploitable because there is already existed a SQL vuln(CVE-2022-34132), so maybe the attacker can use it to control the db column.