Application Description

Winningtemp is a solution provided by Winningtemp AB that is designed to measure employee engagement and well-being. It enables organisations to address employee concerns and allow for continuous improvement by leveraging recurring anonymous feedback.

Summary

Winningtemp allows employees to send praise (kudos) to each other. Each praise is accompanied by a short message explaining why a particular coworker deserved that praise (e.g. what they did well). The application accepts any text input for the message, and will display it as-is in several places without properly encoding it first. This allows an adversary to inject HTML and change the markup.

Severity Scoring

Medium (5.3) CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

An authenticated adversary is able to impact the integrity of the data by saving HTML instead of text. Subsequently, the user’s browser or email client will be impacted when rendering the injected content.

Technical Details

  1. Log on to Winningtemp as a regular user.
  2. Opt to give praise (sv. “Ge Beröm”) to a victim user.
  3. As the message, enter any HTML content such as <img src=a> or <h2>Some title</h2>.
  4. Submit the praise (POST /Kudo/SaveKudo).
  5. Log on as the receiving (victim) user, and review the notification area. Note how the injected content is displayed (but truncated).

Winningtemp HTML Injection in Notification

  1. Review the email notification sent to the victim user and note how the injected content is rendered.

Winningtemp HTML Injection in Email

Vulnerability Disclosure Timeline

2024-06-11 - Disclosed to vendor.
2024-06-20 - Asked vendor for an update.
2024-06-26 - Vendor confirms that the issue is resolved.
2024-06-28 - Publicly disclosed.