Title: NationBuilder Multiple Stored XSS Vulnerabilities
Advisory ID: ZSL-2016-5318
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.04.2016

Summary

NationBuilder is a unique nonpartisan community organizing system that brings together a comprehensive suite of tools that today's leaders and creators need to gather their tribes. Deeply social.

Description

The application suffers from multiple stored XSS vulnerabilities. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

NATIONBUILDER WHQ - http://www.nationbuilder.com

Affected Version

unknown

Tested On

Apache/2.2.22 (Ubuntu)
Phusion Passenger 4.0.48

Vendor Status

[11.04.2016] Vulnerability discovered.
[12.04.2016] Vendor contacted.
[22.04.2016] No response from the vendor.
[23.04.2016] Public security advisory released.

PoC

nationbuilder_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2016040150
[2] https://www.exploit-db.com/exploits/39730/
[3] https://packetstormsecurity.com/files/136804
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/112786

Changelog

[23.04.2016] - Initial release
[26.04.2016] - Added reference [1] and [2]
[27.04.2016] - Added reference [3]
[21.05.2016] - Added reference [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk