Stored XSS in Admin Panel
Report ID: CVE-2023–41614
Date: August 26, 2023
Reported By: Tushar rajendra gurav
(guravtushar231@gmail.com)
Summary:
During a security assessment of the Zoo Management admin panel, I identified a critical stored cross-site scripting (XSS) vulnerability in the “Add Animal Details” section. The vulnerability occurs in the “Description of Animal” input field. Malicious input injected into this field is stored in the application’s database and subsequently executed when viewing animal details, leading to the execution of arbitrary JavaScript code. This report aims to bring attention to the vulnerability and facilitate its prompt resolution.
Vulnerability Details:
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Affected Component: Admin Panel — Add Animal Details
- Affected Versions: All versions prior to the latest release (v1.0)
- CVE ID: CVE-2023–41614
Description:
The “Add Animal Details” section in the Zoo Management admin panel contains an input field labeled “Description of Animal.” This field does not adequately sanitize user input before storing it in the database. As a result, an attacker can submit a malicious payload containing JavaScript code within the description field. When this stored payload is subsequently displayed in the “Animal Details” section and a user scrolls to view it, the JavaScript code is executed, leading to a cross-site scripting vulnerability.
Steps to Reproduce:
1. Access the admin panel of the Zoo Management
2. Navigate to the “Add Animal Details” section.
3. In the “Description of Animal” field, input the following payload:
"><script>alert(‘document.cookie’);</script>
4. Save the animal details.
5. Navigate to the “Animal Details” section and locate the previously added animal.
6. Scroll down to the “Description of Animal” to trigger the execution of the payload.
Impact:
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of other users’ browsers who view the manipulated animal details. This can lead to:
- Unauthorized data access and theft, including cookies or session tokens.
- Defacement of the application by injecting malicious content.
- Distribution of malware or phishing attacks to application users.
Recommendation:
To address this vulnerability and enhance the security of the Zoo Management, the following actions are advised:
1. Input Sanitization: Implement rigorous input sanitization on user-generated content, especially in fields that display data publicly.
2. Output Encoding: Apply proper output encoding to prevent stored XSS vulnerabilities when displaying user-generated content.
3. Content Security Policy (CSP): Implement a strong CSP header to restrict the execution of untrusted scripts.
4. Regular Security Audits: Conduct regular security assessments, including vulnerability scanning and penetration testing, to identify and remediate potential vulnerabilities.
