CMU CERT/CC VINCE v2.0.6 Stored XSS


Vendor: Carnegie Mellon University
Product web page: https://www.kb.cert.org/vince/
Affected version: <=2.0.6

Summary: VINCE is the Vulnerability Information and Coordination
Environment developed and used by the CERT Coordination Center
to improve coordinated vulnerability disclosure. VINCE is a
Python-based web platform.

Desc: The framework suffers from an authenticated stored
cross-site scripting vulnerability. Input passed to the
'content' POST parameter is not properly sanitised before
being returned to the user. This can be exploited to execute
arbitrary HTML/JS code in a user's browser session in context
of an affected site.

Tested on: nginx/1.20.0
           Django 3.2.17


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5917
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5917.php


13.01.2023

--


$ curl -k https://kb.cert.org/vince/comm/post/CASE_NO \
> -H "Cookie: sessionid=xxxx" \
> -d 'content="><marquee>ZSL</marquee>%0A%0A&csrfmiddlewaretoken=xxx&paginate_by=10&reply_to=xxxxx'