PeTeReport 0.5 - Stored XSS (Attack Tree)
4,8
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
PeTeReport 0.5 - Stored XSS (Attack Tree)
Code name
State
Public
Release date
23 feb 2022
Affected product
PeTeReport
Affected version(s)
Version 0.5
Fixed version(s)
Version 0.7
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS v3.1 base score
4.8
Exploit available
No
CVE ID(s)
Description
PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code while adding an 'Attack Tree' by modifying the svg_file parameter.
Proof of Concept
Steps to reproduce
Create a new Report.
Create a new Finding for the Report.
Go to 'Reports' > 'All Reports'.
Click on 'View' in the last created record.
Go to 'Attack Trees'.
Click on 'Add Attack Tree'.
Select your Finding and click on 'Save and Finish'.
Intercept the request and insert javascript code inside the svg_file parameter.
If a user visits the attack tree the javascript code will be rendered.
System Information
Version: PeteReport Version 0.5.
Operating System: Docker.
Web Server: nginx.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PeteReport is available at the vendor page.
References
Timeline
IA generativa
8 feb 2022
Vulnerability patched
9 feb 2022
Vendor contacted
8 feb 2022
Vendor replied
9 feb 2022
Public disclosure
23 feb 2022
