SelfBest Platform DOM-Based Cross-Site Scripting Vulnerability

A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in the SelfBest platform, specifically in version 2023.3. This vulnerability allows attackers to execute arbitrary JavaScript in the context of a logged-in user's session. The issue arises from the application's client-side code, which is vulnerable to direct DOM manipulation without proper sanitization or a Content Security Policy (CSP). Exploitation of this vulnerability could lead to account takeover and data theft.

Impact

Exploitation of this vulnerability could result in full account compromise, data exfiltration, and session hijacking.

Reproduction

The vulnerability can be reproduced by injecting a JavaScript payload into the browser's developer console. Once the payload is executed, it can manipulate the DOM through the vulnerable 'innerHTML' usage, executing the malicious code with the privileges of the logged-in user.

Remediation

To address this vulnerability, developers should implement a robust Content Security Policy, use safe DOM manipulation methods instead of 'innerHTML', and sanitize user input before inserting it into the DOM. Monitoring for unusual console activity and DOM changes can also help detect and respond to potential exploitation.