[CVE-2018-12030] Chevereto Free - XSS Vulnerability in Version 1.0.12
Software: Chevereto Free
Tested Version: 1.0.12, released 23.04.2018
Vulnerability Type: Cross-Site Scripting (CWE-79)
Description: Chevereto Free has the same look and feel of our paid edition and it includes all the essential image hosting functionalities. Install it in seconds, fall in love in minutes. (copied from https://chevereto.com/free)
Chevereto Free is a fork of Chevereto (the paid version). This advisory focuses solely only on the Free version and does not in any way refer to Chevereto (the paid version).
There are two XSS vulnerability in Chevereto Free version 1.0.12.
Both are located at /chevereto/settings/profile.
Navigate as a regular user to /chevereto/settings/profile.
1) Authenticated Reflected XSS
a" onmouseover="alert(document.cookie)" " in the name field and click Save changes. The payload should not be seen upon saving.
Hover the cursor over the name element and payload should trigger. Due to the implementation, this does not persist. Subsequent attempts of the payload will be evaluated as value instead.
Affected parameter: name
2) Authenticated Stored XSS
a"></textarea><svg/onload=alert(document.cookie)> in the bio field and click Save changes.
Navigate away from the current page and return to /chevereto/settings/profile. The payload should trigger.
Affected parameter: bio
The first XSS vulnerability does not have any attack scenario since the payload is rendered as value for subsequent attempts.
An attacker could potentially use the second XSS vulnerability to steal cookie of an administrator.
- Upgrade to the paid version or
- Upgrade to Chevereto Free version 1.0.13
Vulnerability found: 06.06.2018
Vendor informed: 07.06.2018
Response by vendor: 07.06.2018
Fix by vendor: 07.06.2018
Patched version released: 07.06.2018
Public Advisory: 08.06.2018