SIK-2017-001

Title:

Stored and Reflected XSS in pdf-express.org Website

Report ID

SIK-2017-001

Summary:

Vendor: IEEE
Product: pdf-express.org Website
Affected Version: –
Severity: medium
Short summary: Reflected and Stored XSS possible in pdf-express.org website.

Details:

There is no proper input validation check for the text entered in the fields in the login page of the https://www.pdf-express.org/ website. This results to a reflected XSS attack (OWASP Link)). As an example, if an attacker fills out the following:

Conference ID: "><script>alert("XSS")</script>
Email Address: test@test.org
Password: supersecure

You will get a pop-up showing „XSS“. More concrete attacks are described here.

If I create a new account and create a password containing "><script>alert("XSS")</script> for example, the XSS is persistent.

Workaround

–

Suggested Mitigation

There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation

Timeline

2017-02-03 Vulnerability Discovered
2017-02-06 Barbara contacted me and sent me a link to Dropbox to upload the report
2017-05-08 Vulnerability is not fixed, vendor needs more time
2018-08-01 Published