This vulnerability allows attackers to execute arbitrary JavaScript code in the browser of any user who views the malicious content. This can lead to unauthorized actions being taken on behalf of the user, access to sensitive information, and potential further exploitation of the affected system.
Wallos versions 0.9 to 1.2.2 contain a stored XSS vulnerability in all text-based input fields. Specifically, the application fails to properly sanitize user-supplied input in the subscription name field. An attacker can exploit this vulnerability by inserting a malicious payload, such as <script>alert("xss")</script>, into the subscription name when adding a new subscription. This malicious script is then stored within the application's database and executed in the browser of any user who accesses the affected content, leading to the execution of the scripted alert or any other JavaScript code the attacker chooses to include. This vulnerability poses a significant security risk as it can be used to execute scripts in the context of the user's session, potentially leading to sensitive data exposure, session hijacking, and other malicious activities.
It is recommended that all users of affected versions of Wallos update to the latest version, which includes necessary patches to address this vulnerability. Additionally, developers should ensure that all user-supplied input is properly sanitized and validated to prevent similar vulnerabilities in the future. The input validation has been implemented by myself with this PR: https://github.com/ellite/Wallos/pull/105#issuecomment-1942725691
Wallos is a powerful, open-source, and self-hostable web application designed to empower you in managing your finances with ease. Say goodbye to complicated spreadsheets and expensive financial software – Wallos simplifies the process of tracking expenses and helps you gain better control over your financial life. The offical docker image has over 50k downloads and is actively used/updated. ****
A primary focus of Wallos is to track your personal subscriptions with one tool. When adding other accounts also other users can use this tool. To make it easier to track subscriptions, the "Add subscriptions" function is included in the application. Wallos makes it convenient for any user to add a new subscription with all relevant information such as price, currency, billing cycle, etc. Several of these settings are vulnerable to stored XSS.