GHSL-2021-1035: Cross-Site Scripting (XXS) in Cockpit Next - CVE-2021-32857

Coordinated Disclosure Timeline

• 2021-10-29: Report sent to hello@agentejo.com
• 2022-03-25: Publishing as per our disclosure policy

Summary

Bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues.

Product

Cockpit Next

Tested Version

Latest at time of writing (0c6628c)

Details

Issue: Bad HTML sanitization in htmleditor.js (GHSL-2021-1035)

The HTML sanitizer does not account for closing tags with trailing spaces. e.g: </script >. Therefore any malicious scripts in the form of <script>alert(document.domain)</script > will survive the sanitization and will get executed.

Impact

This issue may lead to cross-site scripting (XSS).

Resources

This issue was found using CodeQL.

PoC:

• Start an instance: sudo docker run -d --name cockpit -p 8080:80 agentejo/cockpit
• Open http://localhost:8080/.
• Login with username: admin password: admin.
• Create a new collection (press the plus in the “Collections” box).
• Add a field, and set the field type to HTML (click the cog in the right).
• Fill in the required details (press “SAVE” in the bottom to see what you’ve missed).
• Go to the entires for the newly created collection (there is a “Show entires” in the bottom after you press save, alternatively you can click the collection from the frontpage).
• Create a new entry.
• Paste the following into the editor: <script>alert(123)</script >
• Observe that an alert box will appear in the browser.

CVE

• CVE-2021-32857

Credit

This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1035 in any communication regarding this issue.