usd-2023-0001 | Friendica 2022.12 - Cross-Site Scripting (XSS)
Advisory ID: usd-2023-0001
Affected Version: 2022.12
Vulnerability Type: Cross-Site Scripting (CWE-79)
Security Risk: High
Vendor URL: https://friendi.ca/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
The open source application Friendica is used to set up a decentralized social network. The focus lies on effective privacy settings and interoperability with third-party services. A reflected XSS vulnerability was found in the 404 Not Found error page of Friendica 2022.12.
Proof of Concept
GET /communityjh99m%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3eov1pz/local?accounttype=organisation HTTP/1.1 Host: localhost [...]
It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters.
- 2023-01-05: Vulnerability identified by Christian Pöschl
- 2023-01-09: First contact request made to the vendor
- 2023-01-15: Hotfix released by vendor (Friendica 2023.01)
This security vulnerability was identified by Christian Pöschl of usd AG.