Rock RMS Cross-Site Scripting Vulnerability Leading to Privilege Escalation

A cross-site scripting (XSS) vulnerability has been identified in Rock RMS versions through 17.7.0. This issue allows for the execution of arbitrary JavaScript in the context of an administrator's browser session, potentially leading to unauthorized privilege escalation. The vulnerability arises from inadequate input sanitization in the Social Media Links feature of user profiles. When an administrator views a profile containing a crafted XSS payload, the payload executes and can escalate the profile owner's privileges to that of an administrator.

Impact

Exploitation of this vulnerability allows a standard user to gain administrative privileges within the Rock RMS application.

Reproduction

To reproduce this vulnerability, first ensure that the Social Media Links feature is enabled in the Rock RMS user profile settings. Once enabled, register a standard user account and update the profile to include a social media link. Intercept the profile update request and inject a JavaScript payload that exploits the XSS vulnerability. After the payload is injected, wait for an administrator to view the profile, which will trigger the execution of the payload and escalate the user's privileges to an administrator.

Remediation

To mitigate this vulnerability, disable the Social Media Links feature within user profiles. This can be done by navigating to the Admin Settings, selecting General, and then accessing Person Attributes to uncheck the Active box for each social media type.