Common Weakness Enumeration

CWE-80

Allowed

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

936 vulnerabilities reference this CWE, most recent first.

GHSA-C348-367F-C282

Vulnerability from github – Published: 2025-02-20 12:31 – Updated: 2025-02-20 12:31
VLAI
Details

IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages

is vulnerable to HTML injection, caused by improper validation of user-supplied input of text fields used to construct workflow email notifications. A remote authenticated attacker could exploit this vulnerability using HTML tags in a text field of an object to inject malicious script into an email which would be executed in a victim's mail client within the security context of the OpenPages mail message. An attacker could use this for phishing or identity theft attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T12:15:09Z",
    "severity": "MODERATE"
  },
  "details": "IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages \n\n\n\n\n\nis vulnerable to HTML injection, caused by improper validation of user-supplied input of text fields used to construct workflow email notifications. A remote authenticated attacker could exploit this vulnerability using HTML tags in a text field of an object to inject malicious script into an email which would be executed in a victim\u0027s mail client within the security context of the OpenPages mail message. An attacker could use this for phishing or identity theft attacks.",
  "id": "GHSA-c348-367f-c282",
  "modified": "2025-02-20T12:31:15Z",
  "published": "2025-02-20T12:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49337"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7183541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C53H-RG3P-JFV9

Vulnerability from github – Published: 2025-11-06 21:31 – Updated: 2025-11-06 21:31
VLAI
Details

IBM OpenPages 9.1, and 9.0 with Watson is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-06T21:15:42Z",
    "severity": "MODERATE"
  },
  "details": "IBM OpenPages 9.1, and 9.0 with Watson is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim\u0027s Web browser within the security context of the hosting site.",
  "id": "GHSA-c53h-rg3p-jfv9",
  "modified": "2025-11-06T21:31:31Z",
  "published": "2025-11-06T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33110"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7250321"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5FR-6VP5-CWJF

Vulnerability from github – Published: 2025-02-18 09:32 – Updated: 2025-02-18 09:32
VLAI
Details

The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-18T08:15:09Z",
    "severity": "HIGH"
  },
  "details": "The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027st_user_title\u0027 parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-c5fr-6vp5-cwjf",
  "modified": "2025-02-18T09:32:45Z",
  "published": "2025-02-18T09:32:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13704"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3240039%40super-testimonial\u0026new=3240039%40super-testimonial\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20720912-6bfd-4df1-97c7-7025c16d7a0f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5G6-6XF7-QXP3

Vulnerability from github – Published: 2024-10-22 17:50 – Updated: 2024-10-22 19:22
VLAI
Summary
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Details

Impact

This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.

Patches

Will be patched in 14.3.1 and 15.0.0.

Workarounds

Ensure that access to the Dictionary section is only granted to trusted users.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.StaticAssets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@umbraco-cms/backoffice"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-22T17:50:08Z",
    "nvd_published_at": "2024-10-22T16:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.\n\n### Patches\nWill be patched in 14.3.1 and 15.0.0.\n\n### Workarounds\nEnsure that access to the Dictionary section is only granted to trusted users.\n\n",
  "id": "GHSA-c5g6-6xf7-qxp3",
  "modified": "2024-10-22T19:22:19Z",
  "published": "2024-10-22T17:50:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-c5g6-6xf7-qxp3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47819"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco CMS vulnerable to stored Cross-site Scripting in the \"dictionary name\" on Dictionary section"
}

GHSA-C6VQ-Q4CF-9CGJ

Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-03-31 12:31
VLAI
Details

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-31T12:16:27Z",
    "severity": "LOW"
  },
  "details": "An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.",
  "id": "GHSA-c6vq-q4cf-9cgj",
  "modified": "2026-03-31T12:31:35Z",
  "published": "2026-03-31T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0396"
    },
    {
      "type": "WEB",
      "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9VX-2G7W-RP65

Vulnerability from github – Published: 2023-07-18 16:58 – Updated: 2023-07-19 20:04
VLAI
Summary
matrix-react-sdk vulnerable to XSS in Export Chat feature
Details

Description

The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.

Impact

Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null origin, restricting the impact.

However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.

Patches

This was patched in matrix-react-sdk 3.76.0.

Workarounds

None, other than not using the Export Chat feature.

References

N/A

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "matrix-react-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.32.0"
            },
            {
              "fixed": "3.76.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-37259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-18T16:58:01Z",
    "nvd_published_at": "2023-07-18T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Description\n\nThe Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.\n\n### Impact\n\nSince the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact.\n\nHowever, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.\n\n### Patches\nThis was patched in matrix-react-sdk 3.76.0.\n\n### Workarounds\nNone, other than not using the Export Chat feature.\n\n### References\nN/A\n",
  "id": "GHSA-c9vx-2g7w-rp65",
  "modified": "2023-07-19T20:04:38Z",
  "published": "2023-07-18T16:58:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37259"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/matrix-react-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.76.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "matrix-react-sdk vulnerable to XSS in Export Chat feature"
}

GHSA-CGCQ-R8PX-29CJ

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31
VLAI
Details

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Supsystic Pricing Table by Supsystic allows Code Injection.This issue affects Pricing Table by Supsystic: from n/a through 1.9.12.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T09:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Supsystic Pricing Table by Supsystic allows Code Injection.This issue affects Pricing Table by Supsystic: from n/a through 1.9.12.",
  "id": "GHSA-cgcq-r8px-29cj",
  "modified": "2024-05-17T09:31:02Z",
  "published": "2024-05-17T09:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32790"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/pricing-table-by-supsystic/wordpress-pricing-table-by-supsystic-plugin-1-9-12-content-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJMM-X9X9-M2W5

Vulnerability from github – Published: 2023-05-26 13:55 – Updated: 2023-05-26 21:50
VLAI
Summary
Craft CMS stored XSS in review volume
Details

Summary

XSS can be triggered by review volumes

PoC

1. Access setting tab
2. Create new assets
3. In assets name inject payload: "<script>alert(1337)</script>
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
6. Click Update asset indexes.
7. Wait to assets update success.
8. Progress complete.
9. Click on review button will trigger XSS

Root cause

Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770 After loading completed, progess will load: "skippedEntries" and "missingEntries" These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries"

My reponse:

{ "session": { "id": 10, "indexedVolumes": { "6": "\"alert(1337)" }, "totalEntries": 2235, "processedEntries": 2235, "cacheRemoteImages": true, "listEmptyFolders": false, "isCli": false, "actionRequired": true, "dateCreated": "Apr 5, 2023, 9:03:16 AM", "skippedEntries": [ "\"alert(1337)/assetpreviews/Image.php", "\"alert(1337)/assetpreviews/Pdf.php" ], "missingEntries": { "folders": [], "files": [] }, "processIfRootEmpty": false }, "skipDialog": false }

Resolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-26T13:55:42Z",
    "nvd_published_at": "2023-05-26T21:15:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nXSS can be triggered by review volumes\n\n### PoC\n\n    1. Access setting tab\n    2. Create new assets\n    3. In assets name inject payload: \"\u003cscript\u003ealert(1337)\u003c/script\u003e\n    4. Click Utilities tab\n    5. Choose all volumes, or volume trigger xss\n    6. Click Update asset indexes.\n    7. Wait to assets update success.\n    8. Progress complete.\n    9. Click on review button will trigger XSS\n\n### Root cause\nFunction: index.php?p=admin/actions/asset-indexes/process-indexing-session\u0026v=1680710595770\nAfter loading completed, progess will load: \n\"skippedEntries\"\nand\n\"missingEntries\"\nThese parameters is not yet filtered, I just tried \"skippedEntries\" but I think it will be work with \"missingEntries\"\n\n### My reponse:\n{\n  \"session\": {\n    \"id\": 10,\n    \"indexedVolumes\": {\n      \"6\": \"\\\"\u003cscript\u003ealert(1337)\u003c/script\u003e\"\n    },\n    \"totalEntries\": 2235,\n    \"processedEntries\": 2235,\n    \"cacheRemoteImages\": true,\n    \"listEmptyFolders\": false,\n    \"isCli\": false,\n    \"actionRequired\": true,\n    \"dateCreated\": \"Apr 5, 2023, 9:03:16 AM\",\n    \"skippedEntries\": [\n      \"\\\"\u003cscript\u003ealert(1337)\u003c/script\u003e/assetpreviews/Image.php\",\n      \"\\\"\u003cscript\u003ealert(1337)\u003c/script\u003e/assetpreviews/Pdf.php\"\n    ],\n    \"missingEntries\": {\n      \"folders\": [],\n      \"files\": []\n    },\n    \"processIfRootEmpty\": false\n  },\n  \"skipDialog\": false\n}\n\n\n\nResolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7",
  "id": "GHSA-cjmm-x9x9-m2w5",
  "modified": "2023-05-26T21:50:36Z",
  "published": "2023-05-26T13:55:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.4.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Craft CMS stored XSS in review volume"
}

GHSA-CJQ2-28PQ-MQ54

Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2024-04-03 18:30
VLAI
Details

A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T17:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.\n\n This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.",
  "id": "GHSA-cjq2-28pq-mq54",
  "modified": "2024-04-03T18:30:41Z",
  "published": "2024-04-03T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20362"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbiz-rv-xss-OQeRTup"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMH9-RX85-XJ38

Vulnerability from github – Published: 2024-02-13 18:34 – Updated: 2024-02-20 16:40
VLAI
Summary
XSS sidekiq-unique-jobs UI server vulnerability
Details

Summary

Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.

Specifically, this is a Reflected (Server-Side), Non-Self, Cross Site Scripting vulnerability, considered a P3 on the BugCrowd taxonomy with the following categorization: Cross-Site Scripting (XSS) > Reflected > Non-Self

It was initially thought there was a second vulnerability (RCE), but it was a false alarm. Injection is impossible with Redis:

String escaping and NoSQL injection The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed-length strings and is completely binary safe.

Ref: https://redis.io/docs/management/security/

XSS Vulnerability

Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.

  1. /changelogs
  2. /locks
  3. /expiring_locks

This means if your sidekiq-unique-jobs web UI is mounted at /sidekiq, the vulnerable paths are:

  1. /sidekiq/changelogs
  2. /sidekiq/locks
  3. /sidekiq/expiring_locks

XSS vulnerability is an instance of CAPEC-32: XSS Through HTTP Query Strings, which is related to CWE-80. In certain cases where it results in a server error with status 500, it could be considered a vector for uncontrolled resource consumption, given that errors can be much more resource intensive that normal requests, and thus CWE-400 & CWE-754 may also be relevant.

Details

Fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.

This is an analogous attack vector to that which affected sidekiq gem from version v7.0.4 to v7.0.7, and was given identifiers GHSA-h3r8-h5qw-4r35 & CVE-2023-1892.

The vulnerability in sidekiq-unique-jobs' was not fixed by sidekiq v7.0.8, nor the more recent sidekiq v7.2.0 releases; they are similar but unrelated, distinct vulnerabilities in adjacent projects.

Note #1: The admin web UI for sidekiq-unique-jobs is not protected by any authorization constraint in the default configuration. Auth constraints must be configured by the programmer. It is recommended and expected that users will configure authorization constrains on the "admin" UI. This is not specifically related to the vulnerability but may make users who fail to constrain their "admin" UI even more vulnerable.

Note #2: Most users of the library will not have configured the UI on a sandboxed subdomain, making all their cookies, localStorage data and session secrets vulnerable to exposure. The purpose of a sandboxed subdomain is expressly to prevent leaking sensitive data through XSS attacks.

XSS Fix PR: https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829

PoC

XSS

Use a string like:

%22%3E%3Cimg/src/onerror=alert(document.domain)%3E

as the value for one of the parameters that are handled without escaping. Reference: https://liveoverflow.com/do-not-use-alert-1-in-xss/

  1. Visit /sidekiq/changelogs - with a crafted query string like one of the following: a. Screenshot: XSS changelogs sidekiq-unique-jobs lte v8 0 6 b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E c. count is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion ?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    1. Screenshot: 1c changelogs count
  2. Visit /sidekiq/locks - with a crafted query string like one of the following: a. Screenshot: XSS locks sidekiq-unique-jobs lte v8 0 6 b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E c. count is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion ?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
    1. Screenshot: 2c locks count
  3. Visit /sidekiq/expiring_locks - with a crafted query string like one of the following: a. Screenshot: XSS expiring_locks sidekiq-unique-jobs lte v8 0 6 b. filter is XSS vulnerable: ?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E

Impact

This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sidekiq-unique-jobs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sidekiq-unique-jobs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0.rc7"
            },
            {
              "fixed": "7.1.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-25122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-754",
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-13T18:34:16Z",
    "nvd_published_at": "2024-02-13T19:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nCross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by `sidekiq-unique-jobs` v8.0.7.\n\nSpecifically, this is a Reflected (Server-Side), Non-Self, Cross Site Scripting vulnerability, considered a **_P3_** on the BugCrowd [taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy) with the following categorization:\nCross-Site Scripting (XSS) \u003e Reflected \u003e Non-Self\n\nIt was initially thought there was a second vulnerability (RCE), but it was a false alarm.  Injection is impossible with Redis:\n\n\u003e String escaping and NoSQL injection\n\u003e The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed-length strings and is completely binary safe.\n\nRef: https://redis.io/docs/management/security/\n\n**XSS Vulnerability**\n\nSpecially crafted `GET` request parameters handled by any of the following endpoints of `sidekiq-unique-jobs`\u0027 \"admin\" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the `sidekiq-unique-jobs` web UI is mounted in.\n\n1. `/changelogs`\n2. `/locks`\n3. `/expiring_locks`\n\nThis means if your `sidekiq-unique-jobs` web UI is mounted at `/sidekiq`, the vulnerable paths are:\n\n1. `/sidekiq/changelogs`\n2. `/sidekiq/locks`\n3. `/sidekiq/expiring_locks`\n\nXSS vulnerability is an instance of [CAPEC-32: XSS Through HTTP Query Strings](https://capec.mitre.org/data/definitions/32.html), which is related to [CWE-80](https://cwe.mitre.org/data/definitions/80.html). In certain cases where it results in a server error with status 500, it could be considered a vector for uncontrolled resource consumption, given that errors can be much more resource intensive that normal requests, and thus [CWE-400](https://cwe.mitre.org/data/definitions/400.html) \u0026 [CWE-754](https://cwe.mitre.org/data/definitions/754.html) may also be relevant.\n\n### Details\n\nFix for the XSS vulnerability was released in `sidekiq-unique-jobs` [v8.0.7](https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7).\n\nThis is an analogous attack vector to that which affected `sidekiq` gem from version v7.0.4 to v7.0.7, and was given identifiers [GHSA-h3r8-h5qw-4r35](https://github.com/advisories/GHSA-h3r8-h5qw-4r35) \u0026 [CVE-2023-1892](https://github.com/advisories/GHSA-h3r8-h5qw-4r35).\n\nThe vulnerability in `sidekiq-unique-jobs`\u0027 was *not* fixed by `sidekiq` [v7.0.8](https://github.com/sidekiq/sidekiq/blob/main/Changes.md#708), nor the more recent `sidekiq` [v7.2.0](https://github.com/sidekiq/sidekiq/blob/main/Changes.md#720) releases; they are similar but unrelated, distinct vulnerabilities in adjacent projects.\n\nNote #1: The admin web UI for `sidekiq-unique-jobs` is not protected by any authorization constraint in the default configuration. Auth constraints must be configured by the programmer.  It is recommended and expected that users will configure authorization constrains on the \"admin\" UI.  This is not specifically related to the vulnerability but may make users who fail to constrain their \"admin\" UI even more vulnerable.\n\nNote #2: Most users of the library will not have configured the UI on a sandboxed subdomain, making all their cookies, localStorage data and session secrets [vulnerable to exposure](https://liveoverflow.com/do-not-use-alert-1-in-xss/).  The purpose of a sandboxed subdomain is expressly to prevent leaking sensitive data through XSS attacks.\n\nXSS Fix PR: https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829\n\n### PoC\n\n**XSS**\n\nUse a string like:\n```\n%22%3E%3Cimg/src/onerror=alert(document.domain)%3E\n```\nas the value for one of the parameters that are handled without escaping.\nReference: https://liveoverflow.com/do-not-use-alert-1-in-xss/\n\n1. Visit [/sidekiq/changelogs](http://localhost:3000/sidekiq/changelogs) -  with a crafted query string like one of the following:\n  a. Screenshot: ![XSS changelogs sidekiq-unique-jobs lte v8 0 6](https://github.com/mhenrixon/sidekiq-unique-jobs/assets/19505/61788878-96af-4f97-8c11-b4c343b30c89)\n  b. `filter` is XSS vulnerable: `?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E`\n  c. `count` is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion `?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E`\n    1. Screenshot: ![1c changelogs count](https://github.com/mhenrixon/sidekiq-unique-jobs/assets/19505/4c2cfe41-b8f5-49ef-90eb-4a20841874f9)\n2. Visit [/sidekiq/locks](http://localhost:3000/sidekiq/locks) - with a crafted query string like one of the following:\n  a. Screenshot: ![XSS locks sidekiq-unique-jobs lte v8 0 6](https://github.com/mhenrixon/sidekiq-unique-jobs/assets/19505/4a60cf44-8caa-42a3-a812-3ace81c21e0c)\n  b. `filter` is XSS vulnerable: `?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E`\n  c. `count` is vulnerable to triggering an application error (status 500), potentially allowing resource exhaustion `?count=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E`\n    1. Screenshot: ![2c locks count](https://github.com/mhenrixon/sidekiq-unique-jobs/assets/19505/630d98a6-a3b4-46c8-b7a4-ca8c0e306c13)\n3. Visit [/sidekiq/expiring_locks](http://localhost:3000/sidekiq/expiring_locks) - with a crafted query string like one of the following: \n  a. Screenshot: ![XSS expiring_locks sidekiq-unique-jobs lte v8 0 6](https://github.com/mhenrixon/sidekiq-unique-jobs/assets/19505/7566515e-1edb-4436-8ec4-672c28437534)\n  b. `filter` is XSS vulnerable: `?filter=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E`\n\n### Impact\n\nThis is a vulnerability of critical severity, which impacts many thousands of sites, since `sidekiq-unique-jobs` is widely deployed across the industry, with multiple attack vectors.",
  "id": "GHSA-cmh9-rx85-xj38",
  "modified": "2024-02-20T16:40:10Z",
  "published": "2024-02-13T18:34:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mhenrixon/sidekiq-unique-jobs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sidekiq-unique-jobs/CVE-2024-25122.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XSS sidekiq-unique-jobs UI server vulnerability"
}

Mitigation
Implementation

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Mitigation MIT-30.1
Implementation

Strategy: Output Encoding

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
Implementation

With Struts, write all data from form beans with the bean's filter attribute set to true.

Mitigation MIT-31
Implementation

Strategy: Attack Surface Reduction

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CAPEC-18: XSS Targeting Non-Script Elements

This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.

CAPEC-193: PHP Remote File Inclusion

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.

CAPEC-32: XSS Through HTTP Query Strings

An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.

CAPEC-86: XSS Through HTTP Headers

An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.