CVE-2023-30096

In this post I will go through CVE-2023-30096: the description, replication of the vulnerability and PoC.

Messenger, a TotalJS product, is

"a chat application for programmers.
Our solution is a small, fast, and open-source web application that you can customize to fit your needs.
Try our great solution as a communication channel in your company or sell it to your customers."

The Messenger platform includes:

Real-time messaging.
Supports GitHub flavored markdown.
Supports secret messages.
Full-text search.

totaljs messenger

Description of the vulnerability

TotalJS messenger commit b6cf1c9 is vulnerable to XSS. The channel description field is not properly sanitized.

Replication of the vulnerability

Login in the application.
Click on Direct messages.
Click on Add a new user.
Fill all the possible fields with payload "><img src=x onerror=alert(document.domain)> and save.
XSS will fire whenever user info is reflected in page.

totaljs messenger cve poc

PoC

References

https://nvd.nist.gov/vuln/detail/CVE-2023-30096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30096
https://www.youtube.com/watch?v=ZA7R001kE2w
https://github.com/totaljs/messenger/issues/10