Security Issue -Stored XSS (markdown)

[alestorm980]

Hi I am a security researcher at Fluid Attacks, our security team found a security issue inside PeteReport version 0.5.

Attached below are the links to our responsible disclosure policy.

• https://fluidattacks.com/advisories/policy

Bug description

PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code inside the markdown descriptions while creating a product, report or finding.

CVSSv3 Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSSv3 Base Score:

4.8

Steps to reproduce

1. Click on 'Add Product'.
2. Insert the following PoC inside the product description.

[XSS](javascript:alert(1))

3. Click on 'Save Product'
4. If a user visits the product and click on the link in the description the Javascript code will be rendered.

Screenshots and files

System Information

• Version: PeteReport Version 0.5.
• Operating System: Docker.
• Web Server: nginx.

[1modm]

@alestorm980 Thank you, that happen to me to trust in markdown 🗡️ . Should be fixed in the last commit, take a look and let me know if do you find more issues.

Muchas gracias :)

[ift3k]

@1modm Hi, Now we can't add the POC properly. The payloads are showing as ""lt;gt&quot" to our client's, are there any workarounds? I think it should be like before, no one is deploying a free solutions to the production environment for an XSS to be exploited, and it's an app not everyone will get access to. Can you re-roll back to the previous code? or find a solution?