{"id":16699,"date":"2021-07-08T11:07:31","date_gmt":"2021-07-08T09:07:31","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0050\/"},"modified":"2021-07-19T14:16:34","modified_gmt":"2021-07-19T12:16:34","slug":"usd-2020-0050","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0050\/","title":{"rendered":"usd-2020-0050"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0050 | Gophish v0.10.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0050<\/span>
CVE Number<\/strong>: CVE-2020-24712<\/span>
Affected Product<\/strong>: Gophish<\/span>
Affected Version<\/strong>: v0.10.1<\/span>
Vulnerability Type<\/strong>: non-persistent self Cross-Site Scripting<\/span>
Security Risk<\/strong>: Low<\/span>
Vendor URL<\/strong>: https:\/\/getgophish.com\/<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

The \u201cIMAP Host\u201c input field is vulnerable to Self-XSS when combined with pressing the \u201cTest Settings\u201c button. It was however not possible during the pentest to save an XSS payload with a \u201cReporting Settings\u201c.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

Visit \/settings and enter an XSS payload as \u201eIMAP Host\u201c<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200050-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200050-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

Press \u201eTest Settings\u201c and observe that the JavaScript is executed<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200050-2-1.png\" title_text=\"usd20200050-2\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

\n
\n

Fix<\/h3>\n

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. For example, PHP has the built-in function htmlspecialchars().<\/span>
Additionally, all input should be validated on the server-side. Where possible, whitelist filters should be used. The more restrictive a filter can be specified, the better the protection it provides. Whitelisting is especially recommended if input values have a well defined format or a list of valid input values exists. Invalid values should not be sanitized and forwarded to the application. Instead, requests with invalid values should be rejected.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n