skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-148: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in anjoy8/ChristDDD

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

ChristDDD is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).

Product

ChristDDD

Tested Version

Master branch.

Details

Issue 1: XSS (CVE-2018-0784)

The application doesn’t have a fix for CVE-2018-0784 that was found in ASP.NET Core templates. It is vulnerable to XSS if the logged-in user is tricked into clicking a malicious link like https://localhost:44315/manage/EnableAuthenticator?AuthenticatorUri=%22%3E%3C/div%3E%00%00%00%00%00%00%00%3Cscript%3Ealert(%22XSS%22)%3C/script%3E and enters an invalid verification code. More details are available in this blog post.

Impact

This issue may lead to the elevation of privileges.

Issue 2: CSRF (CVE-2018-0785)

The application doesn’t have a fix for CVE-2018-0785 that was found in ASP.NET Core templates. It is vulnerable to CSRF. A logged-in user with enabled Second Factor Authentication (2FA) may lose their recovery codes if they are tricked into clicking a link like https://localhost:44315/manage/GenerateRecoveryCodes or visit a malicious site that makes the request without the user’s consent. As a result the user may be permanently locked out of their account after losing access to their 2FA device, as the initial recovery codes would no longer be valid.

Impact

This issue may lead to a per-user DoS.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-148 in any communication regarding this issue.