Last active
May 25, 2023 02:26
-
-
Save bybit-sec/eb750c1d906c89e97092b29015472738 to your computer and use it in GitHub Desktop.
Multiple XSS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Stored XSS in Tickets comment | |
Evil users can submit ticket to apply for access to certain resources. After submitting a ticket, users can also add comments on the ticket. When an administrator open ticket to approves , they can See comments for details. But because the user's input is not filtered, and the v-html is used for rendering directly, resulting in an XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc. | |
Affect version | |
2.24.0 <= version <=2.28.X | |
Reference | |
https://github.com/jumpserver/lina/pull/2264 | |
Steps to reproduce | |
1. login as normal user | |
2. submit ticket apply for something | |
3. add comment: <img src=x onerror='alert(document.cookie)'> | |
4. wait administrator open ticket to trigger XSS. | |
5. with another evil payload, when administrator open ticket, they will update normal user to admin user by CSRF, like this: | |
<img src=x onerror='alert(document.cookie)'> | |
2. Stored XSS in Alarm Messages Subscribe | |
Vulnerability description | |
Jumpserver provides the features of restricting dangerous commands. Administrators can receive alarm message by setting recipient. When setting the recipient, because the third-party component used uses v-html to render the 'label' param, a crafted username resulting in a stored XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc. | |
Affect version | |
2.10.0 <= version <=2.28.X | |
Reference | |
https://github.com/jumpserver/lina/pull/2264 | |
https://github.com/Krryxa/krry-transfer/blob/master/src/packages/paging/models/box.vue#L50 | |
Severity | |
Medium | |
Steps to reproduce | |
1. login jumpserver as administrator (need administrator permission) | |
2. add new user and it's name or username is: <img src=x onerror='alert(document.cookie)'> | |
3. open system setting-> message -> change recievers, then XSS execute. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment