CVE-2022-4105: Stored XSS and HTML injection from markdown in kiwi

Description

Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection. Thanks to this attack it is possible to disable the history page making it unusable (for example I created a transparent page above with an infinite redirect), or it is possible to create a stored XSS.

The problem is that the markdown input is sanitized in the TestPlan, but it is not sanitized by the history page. On the history page it will run.

Proof of Concept

1 - Insert one of the following payloads into a Test Plan.

2 - Go to the history

Stored XSS:

<a href="https://evil.com/users/signin" onmouseover="confirm(document.cookie)" style="position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;">foo</a>

Stored HTML Injection - Disable the history page:

<a href='https://evil.com/users/signin' style='position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;'>foo</a>

POC Video (Payload execution):

https://drive.google.com/file/d/1n7ZSrOOIb47vZro4ck2-hPRkzbSiX8CF/view?usp=sharing

Update:

I made a video where a basic user (not an admin) creates a testplan. When Admin goes into the history of the testplan created by the basic user, the XSS will appear (stored blind XSS)

POC:

https://drive.google.com/file/d/1FlGvATGWKWXXoMB6h2Z-JOX1gVhkssx5/view?usp=share_link

Impact

Stored XSS to run malicious javascript.

2. HTML Injection to perform a UI redressing attack (clickjacking)
3. HTML injection which disables the use of the history page