Product<\/strong>: Friendica<\/span>
Affected Version<\/strong>: 2022.12<\/span>
Vulnerability Type<\/strong>: Cross-Site Scripting (CWE-79)<\/span>
Security Risk<\/strong>: High
Vendor URL<\/strong>: https:\/\/friendi.ca\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status:\u00a0<\/strong>Fixed<\/p>\n
Description<\/h3>\n
The open source application Friendica is used to set up a decentralized social network. The focus lies on effective privacy settings and interoperability with third-party services. A reflected XSS vulnerability was found in the\u00a0<\/span>404 Not Found<\/em>\u00a0error page of Friendica 2022.12.<\/span><\/p>\n The following request injects JavaScript code into the 404 error page.<\/span><\/p>\n The following screenshot shows, that the JavaScript code is executed in the context of the application:<\/span> It is recommended to treat all input on the website as potentially dangerous. <\/span>Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. <\/span>The majority of programming languages support standard procedures for encoding meta characters.<\/span><\/p>\n This security vulnerability was identified by Christian P\u00f6schl of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2023-0001 | Friendica 2022.12 - Cross-Site Scripting (XSS) Advisory ID: usd-2023-0001Product: FriendicaAffected Version: 2022.12Vulnerability Type: Cross-Site Scripting (CWE-79)Security Risk: HighVendor URL: https:\/\/friendi.ca\/Vendor acknowledged vulnerability: YesVendor Status:\u00a0Fixed Description The open source application Friendica is used to set up a decentralized social network. The focus lies on effective privacy settings and interoperability with third-party services. A reflected […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-19793","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/19793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=19793"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/19793\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=19793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Proof of Concept<\/h3>\n
GET \/communityjh99m%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3eov1pz\/local?accounttype=organisation HTTP\/1.1\nHost: localhost\n[...]<\/pre>\n<\/div>\n
<\/h3>\n
<\/span><\/p>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2023\/03\/usd-2023-0001-proof.png\")
<\/p>\n<\/h3>\n
Fix<\/h3>\n
References<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n