LinkStack Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in LinkStack, a self-hosted link management platform, in versions through 4.8.6. The issue arises in the 'editPage' function of the 'UserController.php' file, where user-supplied descriptions are inadequately sanitized. This flaw allows the injection of JavaScript event handlers into links, which are then executed when the link is viewed. The vulnerability can be exploited remotely by any registered user.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user viewing the affected link, potentially leading to session hijacking, account takeover, privilege escalation, phishing, or the propagation of malicious payloads to other users.

Reproduction

To reproduce this vulnerability, create a registered user account on a LinkStack instance running version 4.8.6 or prior. After logging in, navigate to the 'Studio' page and inject a cross-site scripting payload into the 'Page Description' field using an allowed HTML tag, such as a link. Once the payload is saved, it will execute when the link info page is visited.

Remediation

The vulnerability can be fixed by updating the 'UserController.php' to strip all event handler attributes from the 'pageDescription' input after using 'strip_tags()' for sanitization. This ensures that injected JavaScript event handlers cannot be executed when the description is rendered.