Headline

CVE-2022-1346: Multiple Stored XSS in organizr

Multiple Stored XSS in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user’s browser and it can lead to session hijacking, sensitive data exposure, and worse.

2 years ago

CVE

Open in Source

#xss #google #git #java

Description

The organizr application allows malicious javascript payload in multiple-input fields like "Categories", “Bookmark Tabs” and “Bookmark Categories” for which attacker can takeover the admin account.

Proof of Concept

1.Login to the co-admin account and go to go to “Settings” -> "Tab Editor".

2.Now in "Categories", “Bookmark Tabs” and “Bookmark Categories” Add options insert the below payloads:

      <img src=x onerror=alert(document.cookie)>

      <img src=x onerror=alert(document.domain)>

      <img src=x onerror=alert(document.location)>

3.Then login with the admin account and go to “Settings” -> “Tab Editor” and visit the "Categories", “Bookmark Tabs” and “Bookmark Categories” and you will see XSS will trigger in all those fields.

PoC Video

https://drive.google.com/file/d/1n9FvXxzzmvtZc4VsdzOHl0oPxSnSDpMy/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user’s browser and it can lead to session hijacking, sensitive data exposure, and worse.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago