Edoardo Ottavianelli

CVE-2023-27070

Author: Edoardo Ottavianelli
14/03/2023

In this post I will go through CVE-2023-27070: the description, replication of the vulnerability and POC.

openplatform is an Open-source Javascript based "beautiful and simple portal for running, integrating and managing multiple 3rd party web applications" (link to the GitHub repo). From the GitHub description we can read:
"OpenPlatform is a stylish and straightforward Web OS platform / Portal for running, integrating, and managing multiple 3rd party web applications. OpenPlatform provides running applications with a set of services, such as user and security management or notifications, so that programmers can focus on business logic. OpenPlatform is an enterprise-ready solution".

Among its benefits they list:

• container for 3rd party apps
• Supports user groups and permissions
• Supports notifications, and sounds
• Powerful user management
• Fully optimized for mobile devices
• and many more...

Description of the vulnerability

The platform name is not properly sanitized and can execute Javascript code when reflected in the website. I've opened an issue in GitHub issue tracker (https://github.com/totaljs/openplatform/issues/53).

Replication of the vulnerability

• Login in the application
• Click on setup
• Click My settings
• Set "><img src=x onerror=alert(document.domain)> as platform name and save.
• Logout and XSS will fire.

POC

See the Youtube Video POC at the top of the page.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-27070
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27070
• https://github.com/totaljs/openplatform/issues/53
• https://www.youtube.com/embed/4WJqcseH5qk