Headline
CVE-2022-23051: Security Issue - Stored XSS (Attack Tree) · Issue #36 · 1modm/petereport
PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code while adding an ‘Attack Tree’ by modifying the ‘svg_file’ parameter.
Hi I am a security researcher at Fluid Attacks, our security team found a security issue inside PeteReport version 0.5.
We will assign the cve id CVE-2022-23051 to this issue but the information will be released after the vulnerability is patched. Attached below are the links to our responsible disclosure policy.
- https://fluidattacks.com/advisories/policy
Bug description
PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code while adding an ‘Attack Tree’ by modifying the svg_file parameter.
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score:
4.8
Steps to reproduce
- Create a new Report.
- Create a new Finding for the Report.
- Go to ‘Reports’ > 'All Reports’.
- Click on ‘View’ in the last created record.
- Go to 'Attack Trees’.
- Click on 'Add Attack Tree’.
- Select your Finding and click on ‘Save and Finish’
- Intercept the request and insert javascript code inside the svg_file parameter.
<script type="text/javascript"> alert(“XSS”); </script>
- If a user visits the attack tree the javascript code will be rendered.
Screenshots and files
System Information
- Version: PeteReport Version 0.5.
- Operating System: Docker.
- Web Server: nginx.