Coordinated Disclosure Timeline
- 2023-11-29: Maintainer informed via email of vulnerability.
- 2023-12-04: Maintainer confirms they are the correct party for security issues and report is sent.
- 2024-03-14: Maintainer patches vulnerability in commit
Summary
A reflected XSS vulnerability exists in the openrasp cloud interface that allows an unauthenticated attacker to gain the session of users.
Project
openrasp
Tested Version
Details
reflected XSS in /login (GHSL-2023-253)
There exists a reflected XSS in the /login page due to a reflection of the redirect parameter. This allows an attacker to execute arbitrary javascript with the permissions of a user after the user logins with their account.
doLogin: function() {
return request.post('v1/user/login', {
username: this.username,
password: this.password
}).then(res => {
if (this.$route.query.redirect) {
location.href = this.$route.query.redirect // assignment of query parameter to DOM
} else {
this.$router.replace({
name: 'dashboard'
})
}
})
}
This vulnerability was found with the help of CodeQL
Impact
This issue may lead to Privilege Escalation and Information Disclosure
Proof of Concept
The following url will create an alert showing the cookie value of the logged in user. This demonstrates that arbitrary javascript can be executed and that the cookie value can be accessed, allowing an attacker to steal the cookie and login. In order to hide the attack from the user, an attacker can url encode as a form of obsfuscation.
http://openrasp_cloud.domain/#/login?redirect=javascript:alert(document.cookie)
CVE
- CVE-2024-29183
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-253 in any communication regarding this issue.