Wallos Stored Cross-Site Scripting Vulnerability in Payment Method Rename Endpoint
Vulnerability
A stored cross-site scripting vulnerability has been identified in Wallos, a personal subscription tracker, prior to version 4.7.0. The issue resides in the payment method rename endpoint, where user-supplied names are not properly validated before being saved. This allows authenticated users to inject JavaScript that executes when others visit certain pages. Additionally, the wallos_login cookie lacks the HttpOnly flag, enabling session hijacking.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, affecting all users who view the Settings, Subscriptions, or Statistics pages. In multi-user deployments, this could include the administrator. The vulnerability also enables session hijacking, as the wallos_login cookie, which is not marked as HttpOnly, can be accessed via JavaScript.
Reproduction
To reproduce this vulnerability, log in as an authenticated user and obtain the CSRF token. Then, send a POST request to the payment method rename endpoint with an XSS payload in the name parameter. The injected script will execute when the Settings, Subscriptions, or Statistics pages are visited.
Remediation
Users are advised to update to Wallos version 4.7.0, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.