Headline
CVE-2022-2589: Reflected XSS on conversion filter function in fava
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3.
Description
Fava v1.22 have a conversion filter function on income statement dashboard which allow user to perform XSS due to improper validation on filter conversion.
Proof of Concept
- Navigate to Fava demo instance https://fava.pythonanywhere.com/example-beancount-file/income_statement/.
- Filter on conversion type and add payload on the result.
- Hover mouse cursor to bar chart (visualization) and XSS alert will pop up.
Endpoints
- https://fava.pythonanywhere.com/huge-example-file/income_statement/?conversion=at_value
- https://fava.pythonanywhere.com/example-with-budgets/income_statement/?conversion=units
- https://fava.pythonanywhere.com/example-beancount-file/income_statement/?conversion=at_value
Payload
- "><img src=a onerror=alert(document.domain)>
Screenshot POC
- xss domain
- xss
Impact
This vulnerability is capable of executing a malicious javascript code in web page
Occurrences
Related news
GHSA-6hcj-qrw3-m66q: Fava before 1.22.3 vulnerable to reflected cross-site scripting
Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.