Summary
It was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View.
Details
An authenticated user with permission to edit groups could create a new role within a group. While the initial role name was properly sanitized, renaming the group to a JavaScript payload allowed the payload to be successfully uploaded and executed.
PoC
As an authenticated user, visit /GroupList.php, add a new group.
Scroll down to Group Roles, add a New Role with any name.
Click the roles name to edit it, change the name to "><script>alert(window.location)</script>
Refresh the page, observe the payload execute.
Impact
The payload is executed anytime the group is viewed in the group viewer, additionally the authentication cookie has its Secure and HttpOnly flags set to false by default, which would allow for account takeover.
ShinglesKat Reporter
Summary
It was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View.
Details
An authenticated user with permission to edit groups could create a new role within a group. While the initial role name was properly sanitized, renaming the group to a JavaScript payload allowed the payload to be successfully uploaded and executed.
PoC
As an authenticated user, visit /GroupList.php, add a new group.
Scroll down to Group Roles, add a New Role with any name.
Click the roles name to edit it, change the name to "><script>alert(window.location)</script>
Refresh the page, observe the payload execute.
Impact
The payload is executed anytime the group is viewed in the group viewer, additionally the authentication cookie has its Secure and HttpOnly flags set to false by default, which would allow for account takeover.