Headline
CVE-2023-33780: XSS Vulnerability in news endpoint
A stored cross-site scripting (XSS) vulnerability in TFDi Design smartCARS 3 v0.7.0 and below allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the body of news article.
Affected versions
< 0.7.0
Description
Summary
A user can post a news article that contains a malicious payload and this will be run on smartcars
Details
Add this as the news article body <a onmouseover="alert(‘XSS Alert’)">xxs link</a> and then on SC3 load, hover over xss link and observe the alert display
PoC
as above
Impact
The ability to run scripts on users SC3 instances if an attacker was able to attach a payload