CVE-2023-23015: XSS Kalkun

Link: https://github.com/kalkun-sms/Kalkun

XSS vulnerability with the user name.

We see that the username will be setted in the DB without sanitization in file Kalkun-devel\application\models\User_model.php

$this->db->set('username’, trim($this->input->post(‘username’)));

Then the username retrieved from the DB and set in the session then redirect to ‘kalkun’ in file Kalkun-devel\application\models\Kalkun_model.php

function login(){ $username = $this->input->post(‘username’); $this->db->from(‘user’); $this->db->where('username’, $username); $query = $this->db->get();

if ($query->num_rows() === 1 && password_verify($this->input->post(‘password’), $query->row(‘password’))) { //… $this->session->set_userdata('username’, $query->row(‘username’)); //… } if ($this->input->post(‘r_url’)) { redirect($this->input->post(‘r_url’)); } else { redirect(‘kalkun’); } }

In file Kalkun-devel\application\controllers\Kalkun.php

function index() { //… $this->load->view('main/layout’, $data); }

In file Kalkun-devel\application\views\main\layout.php

<?php $this->load->view(‘main/dock’);?>

Finally, in file Kalkun-devel\application\views\main\dock.php

<?php echo $this->session->userdata(‘username’);?>