SOPlanning v1.46.01 XSS / Session Hijack

Disclosure Date:  07/06/2020


SOPlanning v1.46.01 and possibly before are affected by a persistent cross site scripting vulnerability that can be leveraged for session hijacking.  An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account.

Add project:

Insert malicious XSS:

When viewing Stats:

When viewing Audit:

When adding Statutes:

Inserting malicious XSS:

Repeatable in Places:

Repeatable in Resources:

With a handler setup, we are able to capture the session cookie:

We tamper with the cookie:

We refresh and we're logged in as the admin: