Medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected: Talk / Spreed 6.0.3
The name of a file is echoed without encoding when moving the mouse onto it in the projects tab of a conversation, leading to persistent XSS.
A successful attack requires an account with low-level permissions as well as a usual amount of user interaction (interacting with the project of a talk in a usual manner).
Successful exploitation allows the attacker to take over the account of the attacked user. If the attacked user is an administrator, this would allow a user full access to the application & files.
To place the payload as the attacker:
test'"><img src>.txt
. Share the file with the victim.To trigger the payload as the victim:
Successful exploitation allows an attacker to read any data the attacked user has access to, or to perform arbitrary requests the user can perform.