RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues
Proof of Concept
As admin, Navigate to Setting >> Яндекс.Турбо >> Счетчики and enter a payload such as " onmouseover="alert(1) into all the six user input fields and submit the request. You will observe that the payloads got successfully stored into the database and when you move the mouse cursor over these fields the JavaScript payloads get executed successfully and we get a pop-up. Better payload (WPScanTeam): " style="animation-name:rotation" onanimationstart="alert(/XSS/) The following fields are vulnerable to Stored Sross-Site Scripting : Яндекс.Метрика LiveInternet Google Analytics Рейтинг Mail.Ru Rambler Топ-100 Mediascope (TNS)
Affects Plugins
Fixed in version 1.30✓
References
Classification
Miscellaneous
Original Researcher
Himamshu Dilip Kulkarni
Submitter
Himamshu Dilip Kulkarni
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-21 (about 6 months ago)
Added
2021-04-21 (about 6 months ago)
Last Updated
2021-04-22 (about 6 months ago)