skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
February 1, 2022

GHSL-2021-104: Cross-Site Scripting in countly-server - CVE-2021-32852

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

Cross-site scripting in https://github.com/Countly/countly-server

Product

https://github.com/Countly/countly-server

Tested Version

The latest version to the date.

Details

Code injection is possible in the template snippet in reset.html:

showMessage("<%= message %>", "<%= password_min %>");

Both message and password_min come from query parameters passed in here (reformatted below for convenience):

res.render('reset', {
    ...
    "message": req.query.message || "",
    password_min: req.query.password_min || "",
    ...
});

The <%= message %> tag performs HTML-escaping which ordinarily prevents breaking out of the string literal, but the backslash is not escaped, so injection is possible by setting:

Resulting in the following code generated by the template:

showMessage("\", ", alert(1)); //");

CVE

Impact

Code Execution (on client side).
The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one.
It’s unclear how the open-source code relates to the enterprise version of the software. It’s possible only the community edition is affected.

Credit

This issue was discovered by @asgerf (Asger F) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-104 in any communication regarding this issue.