How I Discovered a CVE by Scanning Open Source Repositories
In this write-up, I share my journey of uncovering a Cross-Site Scripting (XSS) Vulnerability within the search functionality and course tags of the open-source CMS/LMS known as Frappe. This ended up in me earning/discovering a CVE (2023–5555).
A SAST (Static Application Security Testing) tool is software that analyzes source code or compiled versions without running the program. It hunts for security vulnerabilities, coding errors, and compliance with standards.
Introduction
With the knowledge that a CMS often presents ample opportunities for XSS vulnerabilities, I embarked on an experiment by scouring GitHub for “Open Source CMS.” My search led me to the Frappe LMS repository (Frappe LMS Repository), boasting 300 forks and almost 700 stars. One might assume that an open-source project with such popularity would prioritize security. However, my findings suggested otherwise.
Leveraging SemGrep for Analysis
To expedite the process, I employed the remarkable free code analysis tool, SemGrep. SemGrep is a fast and efficient static analysis engine designed to identify bugs, detect dependency vulnerabilities, and enforce code standards. After creating an account, I inputted the Git repository I intended to scan.
Upon completion, SemGrep presented me with a comprehensive analysis report, allowing me to prioritize recommendations based on severity.
All that was left was to confirm the exploits…
Collaboration and Disclosure
Initially, I reached out to the maintainers, noting the absence of a Security.md file, and urged them to incorporate one. Despite no response, I observed ongoing git commits and merges. Eventually, I turned to Huntr, a platform initially catering to all open-source projects and offering a $100 bounty funded by donations. However, following its acquisition by MLSecOps, the platform ceased this functionality, limiting bounties to ML/AI open-source projects.
For detailed insights, refer to the open bug report: Huntr Report
Resolution and CVE Assignment
Upon submitting my findings to Huntr, they promptly engaged with the maintainers, who acknowledged the issue and implemented a patch. The entire process was transparent, documented within the submission timeline.
Following the patch, I requested a CVE, which was graciously assigned as CVE-2023–5555 — a memorable number indeed!
For more details, refer to the CVE entry: CVE-2023–5555
Conclusion
Frappe LMS responded swiftly and effectively to mitigate the threat, demonstrating their commitment to security. Additionally, I commend the Huntr staff and encourage fellow bug hunters to explore the platform’s capabilities.
Hack the Planet! Stay vigilant, stay informed, and return for continuous enlightenment
Gratitude for your engagement and Remember, knowledge is the ultimate power — keep expanding!
