XSS Vulnerability in Cronicle Full Name Field Allows Admin Credential Theft

[Elam-Monnot]

Summary

XSS Vulnerability in Cronicle Full Name Field Allows Admin Credential Theft.

Steps to reproduce the problem

An attacker can exploit this vulnerability by adding <script></script> tags within the "Full Name" field during user creation or editing. Any code placed between these tags will be interpreted as JavaScript by the browser, potentially leading to XSS attacks.

Your Setup

Linux VM running Debian 12 .

Operating system and version?

Debian 12 Bookworm up to date.

Node.js version?

NodeJs v20.12.2

Cronicle software version?

Cronicle v0.9.47 .

Are you using a multi-server setup, or just a single server?

Single server setup, one master.

Are you using the filesystem as back-end storage, or S3/Couchbase?

I am using the filesystem storage.

Can you reproduce the vulnerability consistently?

Every time an user with malicious scripts in their fullname logs in, the script is executed.. Also, because users login is logged, every time an administrator watches the logs, the script launches too. Furthermore, because user logins are logged, the script is also launched when an administrator views the logs containing the attacker's fullname entry. This creates an opportunity for the attacker to steal the administrator's credentials and inject them into local storage on their browser, enabling privilege escalation.

Explanation

During user creation, the username field is sanitized to prevent XSS attacks, but the "Full Name" field is not. This oversight allows attackers to inject malicious scripts that can steal administrator credentials when the fullname is viewed.

I can provide additional examples, screenshots, and a Proof of Concept if needed.

[jhuckaby]

Fixed in v0.9.48. Thanks!