TrueConf Server Stored Cross-Site Scripting Vulnerability Allowing Account Takeover

A stored cross-site scripting vulnerability has been identified in TrueConf Server version 5.5.2.10813. The issue resides in the Meeting location field of the Create and Edit Conference functionalities. Malicious scripts injected through the meeting_room parameter are executed when users access the Conference Info page, potentially leading to full account takeover. This vulnerability stems from inadequate sanitization of user input in the meeting_room field.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, theft of API access tokens and user identifiers, unauthorized access to TrueConf API endpoints, and full account takeover.

Reproduction

To reproduce this vulnerability, inject a malicious payload into the Meeting location field while creating or editing a conference. Once the conference is saved, the injected script will execute automatically when the Conference Info page is viewed, exfiltrating API tokens and user IDs from localStorage.

Remediation

Users are advised to sanitize and encode all user input in the meeting_room parameter, disallowing HTML and JavaScript execution in conference metadata fields.