CVE-2022-46087: Advisory_G37SYS73M/poc.md at main · G37SYS73M/Advisory_G37SYS73M

Permalink

Cannot retrieve contributors at this time

Description

CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS). A normal user can steal session cookies of the admin users through notification received by the admin user.

Additional Information

Contacted the Vendor of this application, no reply from them even after multiple follow-ups.

Vulnerability Type

Cross Site Scripting (XSS)

Vendor of Product

Cloud School

Affected Product Code Base

CloudSchool v3.0.1 - https://github.com/hrshadhin/school-management-system

Affected Component

This vulnerability causes the attacker to execute XSS payloads in the session of another user which may result to cookie stealing or executing malicious scripts in the victim’s browser.

Attack Type

Remote

Impact Escalation of Privileges

true

Attack Vectors

In this scenario there are two users where the user “superadmin” has all the permission to the application also the victim in this scenario and the user "admin1", the attacker in this scenario has only the permission to Create,Edit,Delete Employees and users. The vulnerability causes the use of a payload “<script>alert(141)</script>” by the user “admin1” to create an employee with the name as the payload. After creating the employee, a notification is raised when we login to the app as the “superadmin” user. Due to the lack of sanitization of the input the Javascript payload gets executed in the session of the “superadmin” user. This behavior can be replicated in any scenarios where the victim user receives a notification.

Reference

https://github.com/hrshadhin/school-management-system

Discoverer

Soummya Mukhopadhyay @G37SYS73M