Description

The application uses Purifier to avoid the Cross Site Scripting attack. However, On WidgetsManagement module from Settings, the "title"parameter is not validated and it’s used directly without any encoding or validation on Vitger/dashboards/ChartFilter.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.

Proof of Concept

1. 1- Login to the application
2. 2- Access the WidgetsManagement Module via the following URL:
3. https://gitstable.yetiforce.com/index.php?module=WidgetsManagement&parent=Settings&view=Configuration
4. 3-Click to the button “Edit chart from filter”.
   Change the value of “title” parameter with the following payload:

Widgets" onfocus="alert(document.domain)" autofocus ""="

**Inject the payload

PoC Video

https://drive.google.com/file/d/1mqJq_e1sfnUyQ-amBujR2Bes2lUiQZVF/view?usp=sharing