OnboardLite Stored Cross-Site Scripting Vulnerability Leading to Admin Account Takeover
Vulnerability
A stored cross-site scripting vulnerability has been identified in OnboardLite, a membership lifecycle platform for student organizations at the University of Central Florida. This vulnerability exists in versions prior to the patch commit and can be exploited when an admin attempts to migrate a user's Discord account through the dashboard. The issue arises from unsafe handling of user data, specifically the first and last names, which can be manipulated to include malicious scripts.
Impact
Exploitation of this vulnerability allows an attacker to execute scripts in the context of the admin user, potentially leading to unauthorized actions or access within the application.
Reproduction
To reproduce this vulnerability, change the account name to include an XSS payload. Then, when an admin migrates the Discord account, the injected script will execute due to the improper handling of the name data.
Remediation
Users can update to the latest version of OnboardLite, which includes the necessary patch for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.