mekarpeles
commented
2 years ago @cdrini and I triaged and were able to repro in a very specific case of ?m=edit using images
Closed mekarpeles closed 2 years ago
mekarpeles
commented
2 years ago @cdrini and I triaged and were able to repro in a very specific case of ?m=edit using images
Description
Module: Openlibrary Vulnerability: Stored XSS in Editor Versions: deploy-2021-12-22
Vulnerability Description: The "Openlibrary" application is vulnerable to Stored XSS. A text editor named "How would you describe this book" allows any user to store malicious scripts while creating a new book. When an admin user navigates to recent community edits and edit the book XSS will be triggered.
Vulnerable GitHub Versions: deploy-2016-07-06 to deploy-2021-12-22
Vulnerable Code: https://github.com/internetarchive/openlibrary/blob/deploy-2021-12-22/openlibrary/plugins/openli brary/js/markdown-editor/index.js#L8
PoC Details:
Go to the application (http://localhost:8080/) and login with “Account A” (userbot@example.com:admin123).
Go to More option and click on Add a Book. Then fill up all the input fields and create a book.
Go to “work details” and insert the XSS payload in the text editor ("How would you describe this book") and click on save.
Go to private window and login with admin privileged user credentials (openlibrary@example.com: admin123)
Navigate to “Recent community edits” from more section and click on the recent post
Now click on “Edit” and XSS will be triggered when the work details page is displayed.
CVSS 3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS 3.1 score: 5.4 (Medium)
CWE List: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Solution
We should likely sanitize the work details fields to safely scrub markup