📄 Coohom SaaS Cross Site Scripting

# CVE-2025-65300
    
    [Description]
    
    CVE-2025-65300: Stored Cross-Site Scripting (XSS) Vulnerability in Coohom SaaS Platform
    
    Disclosure Date: 2025-10-28
    Last Updated: 2025-10-28
    Reporter: Phisit Pupiw
    Vendor: Coohom
    CWE: CWE-79 – Cross-Site Scripting
    
    ------------------------------------------
    
    [Summary]
    
    A stored Cross-Site Scripting (XSS) vulnerability was identified in the Coohom SaaS Platform within the Account Settings → Profile → Address module. User-supplied input stored in the City, State, and Country/Region fields is rendered back to the client without proper sanitization or context-aware output encoding.
    This allows attackers to store malicious JavaScript payloads that execute whenever the affected profile area is viewed.
    The issue affects production build feVersion=1760060603897 (verified on 2025-10-28).
    
    ------------------------------------------
    
    [Vulnerability Details]
    
    The frontend renders user data directly from "window.SAAS_ENV.userInfo.{city, state, country}" without sanitization or escaping, causing stored XSS when injected payloads are stored in the database and later displayed in the UI.
    Example Malicious Payload "</script><script>alert(document.cookie)</script>" When this payload is entered into the City field, saved, and the profile page is reloaded, arbitrary JavaScript executes in the victim’s browser.
    
    ------------------------------------------
    
    [Affected Components]
    
    Module: Account Settings → Profile → Address fields
    Fields: city, state, country
    Frontend Build Affected: feVersion=1760060603897
    Production URL: https://www.coohom.com/pub/saas/settings/account
    
    ------------------------------------------
    
    [Impact]
    
    An attacker can perform the following:
    - Execute arbitrary JavaScript in the victim’s browser
    - Steal session cookies (subject to browser protections)
    - Perform actions on behalf of the victim
    - Redirect users or inject malicious content
    - Persist malicious scripts affecting all future views
    
    ------------------------------------------
    
    [Attack Vector]
    
    - Access Required: Authenticated user
    - Attack Type: Remote
    - User Interaction: Viewing affected profile page
    
    ------------------------------------------
    
    [Attack Flow]
    
    1. Attacker signs in or registers a Coohom account
    2. Navigates to Account Settings → Profile → Address
    3. Inserts malicious payload into City, State, or Country/Region
    4. Saves the form
    5. Script executes whenever the profile section is rendered
    
    ------------------------------------------
    
    [Proof of Concept (PoC)]
    
    Steps to Reproduce
    1. Login to Coohom (https://www.coohom.com)
    2. Open Account Settings → Profile → Address
    3. Input the payload below into the City field "</script><script>alert(document.cookie)</script>"
    4. Save and refresh the page
    5. JavaScript executes immediately → confirming stored 
    
    ------------------------------------------
    
    [Recommendation]
    
    - Sanitize input on save
    - Reject HTML tags and dangerous attributes
    - HTML-encode
    - JavaScript-encode
    - Attribute-encode
    - Implement Content-Security-Policy (CSP)
    - Disable inline scripts with script-src 'self'
    
    ------------------------------------------
    
    [References]
    
    - https://www.coohom.com/pub/saas/settings/account
    - CVE record status (MITRE): CVE-2025-65300 (RESERVED)
    
    ------------------------------------------
    
    [Credits]
    
    Discovered by : Phisit Pupiw