Wallos Reflected Cross-Site Scripting Vulnerability in Password Reset Feature
Vulnerability
A reflected cross-site scripting (XSS) vulnerability has been identified in Wallos, a personal subscription tracker, prior to version 4.6.2. The issue arises in the password reset page, where the 'token' and 'email' parameters are output directly into HTML input value attributes without proper sanitization. This lack of htmlspecialchars() encoding allows for the injection of malicious scripts by breaking out of the attribute context.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, send a POST request to the password reset page with a crafted token that includes a script, such as an alert. The response will include the injected script, executed as part of the page. The email parameter can also be exploited in a similar manner by injecting an image tag with an onerror event.
Remediation
Users are advised to update to Wallos version 4.6.2, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.