Headline
CVE-2023-30097: Edoardo Ottavianelli
A stored cross-site scripting (XSS) vulnerability in TotalJS messenger commit b6cf1c9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the private task field.
****CVE-2023-30097****
Author: Edoardo Ottavianelli
04/05/2023
In this post I will go through CVE-2023-30097: the description, replication of the vulnerability and POC.
Messenger, a product of TotalJS, is “a chat application for programmers. Our solution is a small, fast, and open-source web application that you can customize to fit your needs. Try our great solution as a communication channel in your company or sell it to your customers.”
The Messenger platform includes:
- Real-time messaging.
- Supports GitHub flavored markdown.
- Supports secret messages.
- Full-text search.
Description of the vulnerability
TotalJS messenger commit b6cf1c9 is vulnerable to XSS. The private task field is not properly sanitized.
Replication of the vulnerability
- Login in the application.
- Click on Add a Private task.
- Set " <script>alert(document.domain)</script> as task description and save.
- XSS will fire whenever user info is reflected in page.
POC
See the Youtube Video POC here:
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-30097
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30097
- https://www.youtube.com/watch?v=VAlbkvOm_DU
- https://github.com/totaljs/messenger/issues/9