Menu

#496 Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

1.840
open
Jamie Cameron
None
5
2022-06-10
2022-06-09
Renan
No

Cross-site scripting (XSS) Stored in "Manage Folders" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Folder Name" input.

Another Cross-site scripting (XSS) Stored in "Address Book" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Address Book's Real Name" input.


Discussion

  • Ilia

    Ilia - 2022-06-09

    Thanks for reporting this. We will look into fixing this.

    Although, can you think of a real life exploitation of this bug, when this attack could actually be perpetrated agaist another user?

     

    • Renan

      Renan - 2022-06-10

      Hi,

      In my opinion, this XSS vulnerability could be used with a CSRF vulnerability (if found).
      An attacker could send a HTML page to the victim that execute a automatic/hidden POST request.

      Enviado via e-mail seguro de Proton Mail.

      ------- Original Message -------
      Em quinta-feira, 9 de junho de 2022 às 7:58 PM, Ilia iliajie@users.sourceforge.net escreveu:

      Thanks for reporting this. We will look into fixing this.

      Although, can you think of a real life exploitation of this bug, when this attack could actually be perpetrated agaist another user?

      usermin-bugs:#496 Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

      Status: open
      Group: 1.840
      Created: Thu Jun 09, 2022 01:45 AM UTC by Renan
      Last Updated: Thu Jun 09, 2022 01:45 AM UTC
      Owner: Jamie Cameron

      Cross-site scripting (XSS) Stored in "Manage Folders" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Folder Name" input.

      Another Cross-site scripting (XSS) Stored in "Address Book" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Address Book's Real Name" input.

      Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/webadmin/usermin-bugs/496/

      To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

       
      alternate

  • Jamie Cameron

    Jamie Cameron - 2022-06-10

    For the issue with list_folders.cgi , what was the full URL that triggers the issue? It's cut off in your screenshot..

     

  • Ilia

    Ilia - 2022-06-10

    Thanks, Renan for reporting this. I have just fixed that.

    Although, these are harmless, as referer check would block all requests to files in question.

     

Log in to post a comment.

MongoDB Logo MongoDB