April 3, 2020

GHSL-2020-016: Persistent Cross-Site scripting in Nexus Repository Manager

Alvaro Muñoz

Summary

Persistent Cross—Site Scripting

CVE

CVE-2020-10203

Product

Nexus Repository Manager

Tested Version

3.20.1

Details

An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API (not allowed by the UI) which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.

Impact

The identified vulnerability allows arbitrary JavaScript to run in an NXRM user’s browser in the context of the application. In regards to XSS, it is common that the injected JavaScript could forge requests on behalf of the user, redirect the user to another site or modify the page content.

Remediation

Escape content selector names when rendered by the front-end

Coordinated Disclosure Timeline

  • 02/03/2020: Report sent to Vendor
  • 02/03/2020: Sonatype acknowledged report
  • 02/14/2020: Sonatype raises questions about some of the issues
  • 02/17/2020: GHSL answers Sonatype questions
  • 02/19/2020: Sonatype agrees with GHSL comments

Vendor advisories

CVE-2020-10203 Nexus Repository Manager 3 - Cross Site Scripting XSS - 2020-03-31

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-016 in any communication regarding this issue.