ProjeQtOr Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in ProjeQtOr versions 7.0 prior to 12.4.4. The issue arises in the checkValidHtmlText() function within Security.php, where user input is not properly sanitized. The application attempts to filter out certain HTML patterns but fails to encode or clean the content before displaying it. This allows attackers to inject malicious payloads that bypass the filtering, using alternative syntaxes such as image tags with event handlers. The injected scripts are stored and executed in the browsers of users who view the affected content.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's browser session. This could lead to session hijacking, unauthorized actions performed on behalf of the user, phishing attacks within the application, modification of displayed content, or theft of data from accessible pages.

Remediation

Users are advised to update to ProjeQtOr version 12.4.4 or later. For applications that need to allow some HTML tags, a proper HTML sanitizer library, such as HTML Purifier, should be used. Additionally, implementing a strict Content Security Policy can provide an extra layer of protection.