Reflected Cross-Site Scripting found in the “loginmessage” parameter.
Issue date: 27-10-2020Affects versions: 14.2
Security Issue ID
SECURITY-170
Affected Product Version(s)
14.0.0, 14.1.0, 14.2.2
Severity
high
Description
A reflected cross-site scripting vulnerability occurs when a malicious user is able to inject JavaScript
into parameters which will be reflected in the response. Because the payload is not stored in the
web application it will only be executed if, for example a malicious link is clicked.
When a user logs out of the application a message will be shown. The value set in the “loginmessage” parameter in the URL will be displayed. This value is displayed directly so any inserted HTML will be shown. This means not only it is possible to insert client-side scripts, a fake HTML login page could also be overlaid. It looks like the user must be logged out of the CMS.
Another vulnerable endpoint found was the “/cms/console” path. Which means that if a user is logged-in, the user might not be logged-in the console and thus would be vulnerable. The request below shows the payload highlighted:
GET /cms/?0&loginmessage=%3Csvg/onload%3Dalert%281%29%3E HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: -snip- Upgrade-Insecure-Requests: 1
The response shows the reflected payload:
HTTP/1.1 200 Pragma: no-cache Cache-Control: no-store, no-cache, max-age=0, must-revalidate X-Frame-Options: sameorigin Content-Type: text/html;charset=UTF-8 Date: Mon, 08 Jun 2020 00:12:25 GMT Connection: close Content-Length: 12452 -snip- <div class="login-feedback" id="id39"> <ul class="feedbackPanel"> <li class="feedbackPanelINFO"> <span>[Warning: Property for '<svg/onload=alert(1)>' not found]</span> </li> </ul> </div> -snip-
Note that logged-in
users are redirected before the “loginmessage” is displayed so they are not affected.
Instructions
Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.
Credit for discovering this issue
Thomas van Ruitenbeek