skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
February 1, 2022

GHSL-2021-103: Cross-Site Scripting (XSS) in Erxes - CVE-2021-32853

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

Cross-Site scripting in https://github.com/erxes/erxes.

Product

https://github.com/erxes/erxes

Tested Version

The latest version to the date.

Details

This template tag in widgets.ejs is vulnerable to code injection:

        window.knowledgebaseSettings = {
          topic_id: "<%- kbTopicId %>"
        }

The value comes from a request parameter here:

  res.render('widget', {
    type: 'knowledgebase',
    env: getEnv(),
    kbTopicId: req.query.topicId
  });

The inserted value is not escaped, so one can break out of the string literal or the enclosing script tag:

At the time of writing, this can be verified on the live demo following these links: (they are harmless)

CVE

Impact

Code Execution (on client side). The victim must follow a malicious link or be redirected from a malicious web site.

Credit

This issue was discovered by @asgerf (Asger F) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-103 in any communication regarding this issue.