Posted on

[CVE-2018-12030] Chevereto Free - XSS Vulnerability in Version 1.0.12


Product Information:

Software: Chevereto Free

Tested Version: 1.0.12, released 23.04.2018

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: Chevereto Free has the same look and feel of our paid edition and it includes all the essential image hosting functionalities. Install it in seconds, fall in love in minutes. (copied from https://chevereto.com/free)


Important note:

Chevereto Free is a fork of Chevereto (the paid version). This advisory focuses solely only on the Free version and does not in any way refer to Chevereto (the paid version).


Vulnerability description:

There are two XSS vulnerability in Chevereto Free version 1.0.12.

Both are located at /chevereto/settings/profile.

Navigate as a regular user to /chevereto/settings/profile.

1) Authenticated Reflected XSS

Enter a" onmouseover="alert(document.cookie)" " in the name field and click Save changes. The payload should not be seen upon saving.

Hover the cursor over the name element and payload should trigger. Due to the implementation, this does not persist. Subsequent attempts of the payload will be evaluated as value instead.

Affected parameter: name

2) Authenticated Stored XSS

Enter a"></textarea><svg/onload=alert(document.cookie)> in the bio field and click Save changes.

Navigate away from the current page and return to /chevereto/settings/profile. The payload should trigger.

Affected parameter: bio


Impact:

The first XSS vulnerability does not have any attack scenario since the payload is rendered as value for subsequent attempts.

An attacker could potentially use the second XSS vulnerability to steal cookie of an administrator.


Solution:


Timeline:

Vulnerability found: 06.06.2018

Vendor informed: 07.06.2018

Response by vendor: 07.06.2018

Fix by vendor: 07.06.2018

Patched version released: 07.06.2018

Public Advisory: 08.06.2018


References:

https://github.com/Chevereto/Chevereto-Free/commit/159daeab6adfe828bd06e6e74f5b647bf9b1bb70