Headline
CVE-2022-25220: PeTeReport 0.5 - Stored XSS (Markdown) | Fluid Attacks
PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code inside the markdown descriptions while creating a product, report or finding.
Summary
Name
PeTeReport 0.5 - Stored XSS (Markdown)
Code name
Armstrong
Product
PeTeReport
Affected versions
Version 0.5
Fixed versions
Version 0.7
State
Public
Release date
2022-02-23
Vulnerability
Kind
Stored cross-site scripting (XSS)
Rule
010. Stored cross-site scripting (XSS)
Remote
Yes
CVSSv3 Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score
4.8
Exploit available
No
CVE ID(s)
CVE-2022-25220
Description
PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code inside the markdown descriptions while creating a product, report or finding.
Proof of Concept
Steps to reproduce
Click on 'Add Product’.
Insert the following PoC inside the product description.
[XSS](javascript:alert(1))Click on 'Save Product’.
If a user visits the product and click on the link in the description the javascript code will be rendered.
System Information
- Version: PeteReport Version 0.5.
- Operating System: Docker.
- Web Server: nginx.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PeteReport is available at the vendor page.
Credits
The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Vendor page
https://github.com/1modm/petereport
Issue
https://github.com/1modm/petereport/issues/35
Timeline
2022-02-08: Vulnerability discovered.
2022-02-08: Vendor contacted.
2022-02-09: Vendor replied acknowledging the report.
2022-02-09: Vulnerability patched.
2022-02-23: Public Disclosure.