Hortusfox Web Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Hortusfox Web version 4.4, specifically within the '/tasks' endpoint. This vulnerability allows authenticated users to inject arbitrary JavaScript into the system chat by exploiting the title parameter. The injected script is executed in the context of the user's browser when new-task messages are broadcasted, potentially leading to session hijacking, data theft, or unauthorized actions.

Impact

Exploitation of this vulnerability allows for session hijacking, including theft of session cookies or CSRF tokens. It could also lead to privilege escalation, as injected scripts are executed in the context of the user, allowing access to higher-privilege accounts. Additionally, it enables data theft or execution of actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log in as any user and create a calendar event. Inject a cross-site scripting payload, such as an image tag with an 'onerror' event, into the event name. After saving the event, the injected script will execute, demonstrating the cross-site scripting vulnerability. This effect will also be observed by other users when they log in.