Kissflow Work Platform Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Kissflow Work Platform's Kissflow Application, affecting versions prior to 7337 and Account module versions 2.0 to 4.2. This vulnerability allows attackers to inject arbitrary JavaScript into user-submitted forms. When these forms are accessed by an administrator through the Kissflow Admin Panel, the injected scripts are executed, leading to session hijacking, unauthorized administrative actions, and disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting in admin sessions, potential account takeover through stolen tokens, disclosure of sensitive information such as form data and user profiles, and privilege escalation within the administrative interface.

Reproduction

To reproduce this vulnerability, submit a form on a public Kissflow Work Platform application, such as the Account Application, including a crafted payload that exploits cross-site scripting. Once the form is submitted, an authenticated administrator must review the submission in the Kissflow Admin Panel, which will trigger the execution of the injected script.

Remediation

Users are advised to upgrade to the latest version of Kissflow Work Platform (version 7337 or later) and ensure that form rendering modules and admin interfaces are updated. Implementing Content Security Policy headers and properly sanitizing user inputs while encoding outputs can also help mitigate this vulnerability.