Emoncms Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Emoncms version 11.7.3. This issue arises from inadequate input validation in the application's log handling process. Authenticated attackers with API access can exploit this vulnerability by injecting malicious JavaScript into the 'fulljson' query parameter. The injected script is executed when an administrator views the application logs.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the logs.

Reproduction

To reproduce this vulnerability, send a GET request to the '/input/post' endpoint with a payload that includes a script tag in the 'fulljson' parameter. Ensure that the request is made with a valid API key that has read and write permissions. After injecting the payload, an administrator can navigate to the '/admin/log' endpoint to see the executed script, such as an alert dialog.

Remediation

Users are advised to update to the patched version of Emoncms, which addresses the input validation and output encoding issues. The update can be obtained from the official Emoncms repository.