Skip to content

Instantly share code, notes, and snippets.

@bybit-sec
Last active May 25, 2023 02:26
Show Gist options
  • Save bybit-sec/eb750c1d906c89e97092b29015472738 to your computer and use it in GitHub Desktop.
Save bybit-sec/eb750c1d906c89e97092b29015472738 to your computer and use it in GitHub Desktop.
Multiple XSS
1. Stored XSS in Tickets comment
Evil users can submit ticket to apply for access to certain resources. After submitting a ticket, users can also add comments on the ticket. When an administrator open ticket to approves , they can See comments for details. But because the user's input is not filtered, and the v-html is used for rendering directly, resulting in an XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc.
Affect version
2.24.0 <= version <=2.28.X
Reference
https://github.com/jumpserver/lina/pull/2264
Steps to reproduce
1. login as normal user
2. submit ticket apply for something
3. add comment: <img src=x onerror='alert(document.cookie)'>
4. wait administrator open ticket to trigger XSS.
5. with another evil payload, when administrator open ticket, they will update normal user to admin user by CSRF, like this:
<img src=x onerror='alert(document.cookie)'>
2. Stored XSS in Alarm Messages Subscribe
Vulnerability description
Jumpserver provides the features of restricting dangerous commands. Administrators can receive alarm message by setting recipient. When setting the recipient, because the third-party component used uses v-html to render the 'label' param, a crafted username resulting in a stored XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc.
Affect version
2.10.0 <= version <=2.28.X
Reference
https://github.com/jumpserver/lina/pull/2264
https://github.com/Krryxa/krry-transfer/blob/master/src/packages/paging/models/box.vue#L50
Severity
Medium
Steps to reproduce
1. login jumpserver as administrator (need administrator permission)
2. add new user and it's name or username is: <img src=x onerror='alert(document.cookie)'>
3. open system setting-> message -> change recievers, then XSS execute.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment