← Advisories

NationBuilder Multiple Stored XSS Vulnerabilities

Medium

Advisory ID

ZSL-2016-5318

Release Date

23 April 2016

Vendor

NATIONBUILDER WHQ - http://www.nationbuilder.com

Affected Version

unknown

CVE

N/A

Tested On

Apache/2.2.22 (Ubuntu), Phusion Passenger 4.0.48

Summary

NationBuilder is a unique nonpartisan community organizing system that brings together a comprehensive suite of tools that today's leaders and creators need to gather their tribes. Deeply social.

Description

The application suffers from multiple stored XSS vulnerabilities. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

nationbuilder_xss.htmlTXT

Disclosure Timeline

11.04.2016Vulnerability discovered.

12.04.2016Vendor contacted.

22.04.2016No response from the vendor.

23.04.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://cxsecurity.com/issue/WLB-2016040150

[2]https://www.exploit-db.com/exploits/39730/

[3]https://packetstormsecurity.com/files/136804

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/112786

Changelog

23.04.2016Initial release

26.04.2016Added reference [1] and [2]

27.04.2016Added reference [3]

21.05.2016Added reference [4]