DOM based Cross Site Scripting
Hi Team,
I observed a DOM based Cross Site Scripting issue in the code.
Location:
The vulnerable code lies in following file: https://gitlab.com/mayan-edms/mayan-edms/blob/master/mayan/apps/appearance/templates/appearance/base_plain.html
The vulnerable line of code is line 37.
var currentHash = window.location.hash;
if (currentHash.length) {
window.location = currentHash.substring(1);
}
Here the value from source window.location.hash is directly passed into sink window.location This code is embedded on following URLs in the hosting:
- /authentication/login/
- /authentication/password/reset/done/
- /authentication/password/reset/
Attack Scenario/ Steps:
So if the URL is like http://domainname.com/authentication/login/#javascript:alert(document.domain) then javascript:alert(document.domain) will execute on the login page.
Proposed Mitigation:
Replace the following line of code window.location = currentHash.substring(1); with window.location.pathname = currentHash.substring(1);
Let me know in case any other details are required. I would also be requesting a CVE for this, once the patch is pushed.