PeTeReport 0.5 - Stored XSS (Markdown)
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
PeTeReport 0.5 - Stored XSS (Markdown)
Code name
State
Public
Release date
Feb 23, 2022
Affected product
PeTeReport
Affected version(s)
Version 0.5
Fixed version(s)
Version 0.7
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS v3.1 base score
4.8
Exploit available
No
CVE ID(s)
Description
PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code inside the markdown descriptions while creating a product, report or finding.
Proof of Concept
Steps to reproduce
Click on 'Add Product'.
Insert the following PoC inside the product description.
Click on 'Save Product'.
If a user visits the product and click on the link in the description the javascript code will be rendered.
System Information
Version: PeteReport Version 0.5.
Operating System: Docker.
Web Server: nginx.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PeteReport is available at the vendor page.
References
Timeline
Feb 8, 2022
Vulnerability discovered
Feb 8, 2022
Vendor contacted
Feb 9, 2022
Vendor replied
Feb 28, 2022
Vulnerability patched
Feb 23, 2022
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
