CVE-2023-33969: Stored XSS in the Task External Link Functionality

Summary

A stored XSS allows an attacker to execute arbitrary Javascript and any user who views the task containing the malicious code will be exposed to the XSS attack.

Note: The default CSP blocks the javascript attack, tho it can be exploited if an instance is badly configured and at the moment it’s vulnerable to CSS injection because of the unsafe-inline on the default CSP so I think that would be also good to take a look into that and maybe remove that flag from the default CSP.

Details

The stored XSS vulnerability is present in the file /app/Template/task_external_link/table.php, on line 32.
The input variable $link[‘url’] is not properly escaped with the e function, unlike the other variables used in the same context.

<a href="<?= $link[‘url’] ?>" title="<?= $this->text->e($link[‘url’]) ?>" target="_blank"><?= $this->text->e($link[‘title’]) ?><span class="ui-helper- hidden-accessible"> (<?= $this->text->e($link[‘url’]) ?>)</span></a>

PoC

1. Create a task in any project you wish
2. Create a external link of any type ( for example, auto ) and then click save
3. Change the URL value again, insert the following payload “><meta http-equiv="refresh” content="2;url=http://example.com/" /> and you got now a Stored XSS in that task.

stored_xss_kanboard.mp4Impact

The stored XSS allows an attacker to execute arbitrary Javascript in any user context when the malicious task is viewed by a user which also can lead to the attacker escalating his privileges within the software if a “Administrator” views the task containing the malicious code.

This would also mean massive exploitation because combined with the Broken Access Control Vulnerability reported before, an attacker can spray a malicious task containing the XSS payload into any project (personal or not) and just wait for anyone who uses the software to view it.