PeTeReport 0.5 - Stored XSS (Attack Tree)
Summary
| Name | PeTeReport 0.5 - Stored XSS (Attack Tree) |
| Code name | |
| Product | PeTeReport |
| Affected versions | Version 0.5 |
| Fixed Versions | Version 0.7 |
| State | Public |
| Release date | 2022-02-23 |
Vulnerability
| Kind | Stored cross-site scripting (XSS) |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
| CVSSv3.1 Base Score | 4.8 |
| Exploit available | No |
| CVE ID(s) |
Description
PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code while adding an 'Attack Tree' by modifying the svg_file parameter.
Proof of Concept
Steps to reproduce
-
Create a new Report.
-
Create a new Finding for the Report.
-
Go to 'Reports' > 'All Reports'.
-
Click on 'View' in the last created record.
-
Go to 'Attack Trees'.
-
Click on 'Add Attack Tree'.
-
Select your Finding and click on 'Save and Finish'.
-
Intercept the request and insert javascript code inside the svg_file parameter.
<script type="text/javascript"> alert("XSS"); </script> -
If a user visits the attack tree the javascript code will be rendered.
System Information
- Version: PeteReport Version 0.5.
- Operating System: Docker.
- Web Server: nginx.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PeteReport is available at the vendor page.
Credits
The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Vendor page https://github.com/1modm/petereport
Issue https://github.com/1modm/petereport/issues/36
Timeline
2022-02-08
Vulnerability discovered.
2022-02-08
Vendor contacted.
2022-02-09
Vendor replied acknowledging the report.
2022-02-09
Vulnerability patched.
2022-02-23
Public Disclosure.
