[CVE-2018-12030] Chevereto Free - XSS Vulnerability in Version 1.0.12 • Edric Teo

[CVE-2018-12030] Chevereto Free – XSS Vulnerability in Version 1.0.12

June 2018

[CVE-2018-12030] Chevereto Free – XSS Vulnerability in Version 1.0.12

Product Information:

Software: Chevereto Free

Tested Version: 1.0.12, released 23.04.2018

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: Chevereto Free has the same look and feels as our paid edition and it includes all the essential image hosting functionalities. Install it in seconds, and fall in love in minutes. (copied from https://chevereto.com/free)

Important note:

Chevereto Free is a fork of Chevereto (the paid version). This advisory focuses solely only on the Free version and does not in any way refer to Chevereto (the paid version).

Vulnerability description:

There are two XSS vulnerabilities in Chevereto Free version 1.0.12.

Both are located at /chevereto/settings/profile.

Navigate as a regular user to /chevereto/settings/profile.

1) Authenticated Reflected XSS

Enter a" onmouseover="alert(document.cookie)" " in the name field and click Save changes. The payload should not be seen upon saving.

Hover the cursor over the name element and the payload should trigger. Due to the implementation, this does not persist. Subsequent attempts of the payload will be evaluated as a value instead.

Affected parameter: name

2) Authenticated Stored XSS

Enter a"></textarea><svg/onload=alert(document.cookie)> in the biofield and click Save changes.

Navigate away from the current page and return to /chevereto/settings/profile. The payload should trigger.

Affected parameter: bio

Impact:

The first XSS vulnerability does not have any attack scenario since the payload is rendered as value for subsequent attempts.

An attacker could potentially use the second XSS vulnerability to steal the cookie of an administrator.

Solution:

Upgrade to the paid version or
Upgrade to Chevereto Free version 1.0.13

Timeline:

Vulnerability found: 06.06.2018

The vendor informed: 07.06.2018

Response by vendor: 07.06.2018

Fix by vendor: 07.06.2018

The patched version released: 07.06.2018

Public Advisory: 08.06.2018

References:

https://github.com/Chevereto/Chevereto-Free/commit/159daeab6adfe828bd06e6e74f5b647bf9b1bb70