GHSL-2021-104: Cross-Site Scripting in countly-server - CVE-2021-32852

Coordinated Disclosure Timeline

• 2021-08-31: Report sent to maintainers.
• 2021-09-04: Maintainers respond that a fix was made, but they are reviewing the code for similar vulnerabilities.
• 2021-11-10: v21.11 with the fix was released.

Summary

Cross-site scripting in https://github.com/Countly/countly-server

Product

https://github.com/Countly/countly-server

Tested Version

The latest version to the date.

Details

Code injection is possible in the template snippet in reset.html:

showMessage("<%= message %>", "<%= password_min %>");

Both message and password_min come from query parameters passed in here (reformatted below for convenience):

res.render('reset', {
    ...
    "message": req.query.message || "",
    password_min: req.query.password_min || "",
    ...
});

The <%= message %> tag performs HTML-escaping which ordinarily prevents breaking out of the string literal, but the backslash is not escaped, so injection is possible by setting:

• message to a single backslash character
• password_min to the string , alert(1)); //

Resulting in the following code generated by the template:

showMessage("\", ", alert(1)); //");

CVE

• CVE-2021-32852

Impact

Code Execution (on client side).
The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one.
It’s unclear how the open-source code relates to the enterprise version of the software. It’s possible only the community edition is affected.

Credit

This issue was discovered by @asgerf (Asger F) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-104 in any communication regarding this issue.