[CVE-2018-12030] Chevereto Free – XSS Vulnerability in Version 1.0.12
Product Information:
Software: Chevereto Free
Tested Version: 1.0.12, released 23.04.2018
Vulnerability Type: Cross-Site Scripting (CWE-79)
Description: Chevereto Free has the same look and feels as our paid edition and it includes all the essential image hosting functionalities. Install it in seconds, and fall in love in minutes. (copied from https://chevereto.com/free)
Important note:
Chevereto Free is a fork of Chevereto (the paid version). This advisory focuses solely only on the Free version and does not in any way refer to Chevereto (the paid version).
Vulnerability description:
There are two XSS vulnerabilities in Chevereto Free version 1.0.12.
Both are located at /chevereto/settings/profile.
Navigate as a regular user to /chevereto/settings/profile.
1) Authenticated Reflected XSS
Enter a" onmouseover="alert(document.cookie)" "
in the name field and click Save changes. The payload should not be seen upon saving.
Hover the cursor over the name element and the payload should trigger. Due to the implementation, this does not persist. Subsequent attempts of the payload will be evaluated as a value instead.
Affected parameter: name
2) Authenticated Stored XSS
Enter a"></textarea><svg/onload=alert(document.cookie)>
in the biofield and click Save changes.
Navigate away from the current page and return to /chevereto/settings/profile. The payload should trigger.
Affected parameter: bio
Impact:
The first XSS vulnerability does not have any attack scenario since the payload is rendered as value for subsequent attempts.
An attacker could potentially use the second XSS vulnerability to steal the cookie of an administrator.
Solution:
- Upgrade to the paid version or
- Upgrade to Chevereto Free version 1.0.13
Timeline:
Vulnerability found: 06.06.2018
The vendor informed: 07.06.2018
Response by vendor: 07.06.2018
Fix by vendor: 07.06.2018
The patched version released: 07.06.2018
Public Advisory: 08.06.2018
References:
https://github.com/Chevereto/Chevereto-Free/commit/159daeab6adfe828bd06e6e74f5b647bf9b1bb70