############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: BOINC Server # Vendor: BOINC # CSNC ID: CSNC-2025-003 # CVE ID: CVE-2025-0667 # Subject: BOINC Stored XSS Injection # Risk: Critical # Effect: Remotely exploitable # Researcher: Raphaël Arrouas (Xel) via Managed Bugbounty Program # Coordinator: Michael Häseler <michael.haeseler@compass-security.com> # Date: 21.01.2025 # ############################################################# Introduction ------------ BOINC is a software platform for "volunteer computing": large-scale distributed high-throughput computing using volunteered home computers and other resources. [1] Affected -------- Vulnerable: * All versions <= 1.4.7 Not vulnerable: * All versions > 1.4.7 Not tested: * Technical Description --------------------- There is a stored XSS allowing to infect the inboxes of arbitrary users with malicious Javascript code, affecting the pm.php module. This stored XSS can be exploited thanks to an injection in the BBcode parser logic. To write a message the following URL is used https://<URL_TO_VULNERABLE_ENDPOINT>/pm.php?action=new Enter the account that should be attacked (by username). The subject can be anything. The message content must be as follows: [email][email] onfocus=alert(document.cookie) autofocus [/email][/email] The XSS will trigger when the victim opens his inbox at https://<URL_TO_VULNERABLE_ENDPOINT>/pm.php?action=inbox or through their profile. Workaround / Fix ---------------- Update to the most recent version of BOINC Server. Timeline -------- 2024-12-12: Discovery by Hunter 2025-01-27: Assigned CVE-2025-0667 2025-02-03: Initial vendor notification 2025-03-12: Initial vendor response 2025-03-17: Release of fixed Version / Patch 2009-XX-XX: Public disclosure date References ---------- [1] https://github.com/BOINC/boinc