Summary
Persistent Cross—Site Scripting
CVE
CVE-2020-10203
Product
Nexus Repository Manager
Tested Version
3.20.1
Details
An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API (not allowed by the UI) which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.
Impact
The identified vulnerability allows arbitrary JavaScript to run in an NXRM user’s browser in the context of the application. In regards to XSS, it is common that the injected JavaScript could forge requests on behalf of the user, redirect the user to another site or modify the page content.
Remediation
Escape content selector names when rendered by the front-end
Coordinated Disclosure Timeline
- 02/03/2020: Report sent to Vendor
- 02/03/2020: Sonatype acknowledged report
- 02/14/2020: Sonatype raises questions about some of the issues
- 02/17/2020: GHSL answers Sonatype questions
- 02/19/2020: Sonatype agrees with GHSL comments
Vendor advisories
CVE-2020-10203 Nexus Repository Manager 3 - Cross Site Scripting XSS - 2020-03-31
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-016
in any communication regarding this issue.