Headline
CVE-2023-36463: XSS on user input
Meldekarten generator is an open source project to create a program, running locally in the browser without the need for an internet-connection, to create, store and print registration cards for volunteers. All text fields on the webpage are vulnerable to XSS attacks. The user input isn’t (fully) sanitized after submission. This issue has been addressed in commit 77e04f4af which is included in the 1.0.0b1.1.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Summary
All text fields on the webpage are vulnerable to XSS attacks. The user input isn’t (fully) sanitized after submission.
Details
Tried exploits:
" classs="first-name" type="text" placeholder="Vorname"><script>console.log(‘Hello World’)</script><input value="
If you click on the “Neue Person” button, the script tag gets in the HTML, the code inside of it gets never executed, so you only can only break the site, without the possibility to execute any code.
<script>console.log(‘Hello World’)</script>
If you print the document, the field is empty, but no code gets executed
;
If you export it to a CSV-file you can add an arbitrary number of fields.
\n
Did nothing, was included in the CSV as \n and did not cause a new line.
PoC
Impact
I was only able to render the site unresponsive or break the design. Possibly everything a XSS can do, but I was not able to run any code.