An XSS issue in the EndUser login page was identified in Apache Syncope, combined with GHSL-2020-029 or GHSL-2020-055 this XSS may be escalated into RCE.
The EndUser login page reflects the
successMessage parameters with some sanitization (app.js):
component.show(String(message).replace(/<[^>]+>/gm, ''), "success");
However, this sanitization only accounts for closed tags. Unfortunately, most modern browsers will automatically close unclosed tags, thus enabling a bypass.
Even though the XSS issue is on the login page, it will also trigger if the victim is already logged-in when clicking the malicious link. This is important because if different apps (enduser and core) have the same same origin (scheme+host+port), an attacker may use this XSS to attack a Syncope administrator and send arbitrary requests to the REST API. When mixed with GHSL-2020-029 or GHSL-2020-055, this would allow an attacker to escalate this XSS into RCE.
Rather than trying to sanitize the user input, escape the
successMessage parameter for HTML context.
This issue was addressed in the following commit
This report was subject to the GHSL coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-054 in any communication regarding this issue.