SelfBest Stored Cross-Site Scripting Vulnerability in Chat Functionality Allows Privilege Escalation

A stored cross-site scripting vulnerability has been identified in the chat feature of the SelfBest platform, specifically in version 2023.3. This vulnerability allows authenticated low-privileged users to execute arbitrary JavaScript in the context of other users' sessions. The exploitation of this vulnerability could lead to unauthorized access to administrative data and functions, including the ability to fetch and exfiltrate information from the /admin/users endpoint, thereby escalating privileges and compromising sensitive user data.

Impact

Exploitation of this vulnerability allows for vertical privilege escalation, enabling low-privileged users to gain administrative access. This access is achieved without any interaction from the admin user, as the malicious payload is executed automatically when the admin views the chat message. The vulnerability also facilitates mass data theft, with the potential for a complete compromise of the application's administrative functions and data.

Reproduction

To reproduce this vulnerability, an authenticated low-privileged user can send a chat message containing a crafted payload, such as an image tag with an 'onerror' event. This payload is stored in the database and remains active indefinitely. When an admin user views the message, the payload is executed, triggering the theft of admin data. The stolen data can include sensitive information from various administrative endpoints, such as user details, application settings, and configuration files.

Remediation

Immediate fixes should include implementing aggressive input sanitization to strip harmful HTML before storage, applying context-aware output encoding for different user roles, and establishing a strict Content Security Policy for administrative areas. Additionally, real-time monitoring for unauthorized access to admin endpoints can help detect and prevent exploitation.