GHSA-2F46-4XJM-73X5

Vulnerability from github – Published: 2024-05-20 17:07 – Updated: 2024-05-20 17:07
VLAI
Summary
Passbolt API Stored XSS on first/last name during setup
Details

Description

An administrator can craft a user with a malicious first name and last name, using a payload such as

<svg onload="confirm(document.domain)">'); ?></svg>

The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS.

Impact of issue

An administrator could use this exploit to edit the setup start page for a given user, for example, trick the user into installing another extension. Even though the severity of this issue in itself is high, the likelihood is low because the exploit will be visible in clear by the user in the email notification, and also requires an action from a malicious administrator.

Fix

Sanitize the firstname and lastname in the page that is used to trigger the extension setup process.

Additionally since v2.11 some default CSP are inserted in the server response headers to prevent inline-scripts or 3rd party domain scripts on pages served by the passbolt API. This is to cater for the case where the administrator has not set them up as part of the web server configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "passbolt/passbolt_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-20T17:07:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Description\nAn administrator can craft a user with a malicious first name and last name, using a payload such as\n```\n\u003csvg onload=\"confirm(document.domain)\"\u003e\u0027); ?\u003e\u003c/svg\u003e\n```\nThe user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS.\n\n### Impact of issue\nAn administrator could use this exploit to edit the setup start page for a given user, for example, trick the user into installing another extension. Even though the severity of this issue in itself is high, the likelihood is low because the exploit will be visible in clear by the user in the email notification, and also requires an action from a malicious administrator.\n\n### Fix\nSanitize the firstname and lastname in the page that is used to trigger the extension setup process.\n\nAdditionally since v2.11 some default CSP are inserted in the server response headers to prevent inline-scripts or 3rd party domain scripts on pages served by the passbolt API. This is to cater for the case where the administrator has not set them up as part of the web server configuration.",
  "id": "GHSA-2f46-4xjm-73x5",
  "modified": "2024-05-20T17:07:44Z",
  "published": "2024-05-20T17:07:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/passbolt/passbolt_api/commit/6135b483f72c6853e6085e329f5f8d7be60c9933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/passbolt/passbolt_api/2019-08-07-1.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/passbolt/passbolt_api"
    },
    {
      "type": "WEB",
      "url": "https://github.com/passbolt/passbolt_api/blob/master/CHANGELOG.md#2110---2019-08-08"
    },
    {
      "type": "WEB",
      "url": "https://www.passbolt.com/incidents/20190807_multiple_vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Passbolt API Stored XSS on first/last name during setup"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…