Listmonk Cross-Site Request Forgery Vulnerability Leading to Cross-Site Scripting and Admin Account Creation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Listmonk versions through 1.1.0. This vulnerability allows an attacker to exploit the absence of proper validation for the 'nonce' parameter in HTTP requests. In addition to the session cookie, the 'nonce' is included in each request, but it is not checked by the backend. Removing the 'nonce' enables requests to be processed normally. While this may appear innocuous, it can be combined with other vulnerabilities to create a critical issue. Specifically, the lack of 'nonce' validation, coupled with the 'session' cookie's absence of a SameSite flag, can lead to Cross-Site Scripting (XSS) attacks. Such an XSS vulnerability could be used to create an admin account, thereby compromising the entire application.

Impact

Exploitation of this vulnerability allows for the creation of an admin account, potentially leading to a full takeover of the application.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/templates/preview' endpoint without including the 'nonce' parameter. The 'session' cookie should be included, but the 'SameSite' flag must be absent or set to 'None'. This can be done by logging into the application and removing the 'nonce' from the request. Once the request is sent, the absence of the 'nonce' will be accepted, and the request will be processed. After successfully previewing a template that includes JavaScript code, the same template can be used to execute a Cross-Site Scripting attack by injecting a script that creates an admin account.