HortusFox Web Stored Cross-Site Scripting Vulnerability in TextBlock Module

A stored cross-site scripting vulnerability has been identified in HortusFox Web version 4.4, specifically within the TextBlockModule.php component. This issue allows authenticated users to inject arbitrary web scripts or HTML by placing a crafted payload in the name parameter when adding a new plant. The injected script is saved to the database and later executed in the context of the user viewing the chat, as the application does not properly sanitize chat messages before displaying them.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users who view the chat. This could lead to session hijacking, privilege escalation, and unauthorized actions within the application.

Reproduction

To reproduce this vulnerability, authenticate as a valid user and navigate to the 'add new plant' feature. Inject a script payload, such as an image tag with an error event, into the name parameter. Once the form is submitted, the injected script will execute immediately. Additionally, the XSS payload will be executed for any user who logs in after the injection, including admins.