Security Issue - Stored XSS (Attack Tree)

[alestorm980]

Hi I am a security researcher at Fluid Attacks, our security team found a security issue inside PeteReport version 0.5.

We will assign the cve id CVE-2022-23051 to this issue but the information will be released after the vulnerability is patched. Attached below are the links to our responsible disclosure policy.

• https://fluidattacks.com/advisories/policy

Bug description

PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code while adding an 'Attack Tree' by modifying the svg_file parameter.

CVSSv3 Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSSv3 Base Score:

4.8

Steps to reproduce

1. Create a new Report.
2. Create a new Finding for the Report.
3. Go to 'Reports' > 'All Reports'.
4. Click on 'View' in the last created record.
5. Go to 'Attack Trees'.
6. Click on 'Add Attack Tree'.
7. Select your Finding and click on 'Save and Finish'
8. Intercept the request and insert javascript code inside the svg_file parameter.

   <script type="text/javascript">
      alert("XSS");
   </script>

9. If a user visits the attack tree the javascript code will be rendered.

Screenshots and files

System Information

• Version: PeteReport Version 0.5.
• Operating System: Docker.
• Web Server: nginx.

[1modm]

@alestorm980 Buen trabajo!

Should be fixed in the last commit, take a look and let me know if do you find more issues.

Muchas gracias :)