CVE-2022-42225: Multiple XSS

1. Stored XSS in Tickets comment

Evil users can submit ticket to apply for access to certain resources. After submitting a ticket, users can also add comments on the ticket. When an administrator open ticket to approves , they can See comments for details. But because the user’s input is not filtered, and the v-html is used for rendering directly, resulting in an XSS vulnerability, which can execute any javascript under admin’s permission, such as perform CSRF to update normal user to administrator role, etc.

Affect version

2.24.0 <= version <=2.28.X

Reference

https://github.com/jumpserver/lina/pull/2264

Steps to reproduce

1. login as normal user

2. submit ticket apply for something

3. add comment: <img src=x onerror=’alert(document.cookie)'>

4. wait administrator open ticket to trigger XSS.

5. with another evil payload, when administrator open ticket, they will update normal user to admin user by CSRF, like this:

<img src=x onerror=’alert(document.cookie)'>

2. Stored XSS in Alarm Messages Subscribe

Vulnerability description

Jumpserver provides the features of restricting dangerous commands. Administrators can receive alarm message by setting recipient. When setting the recipient, because the third-party component used uses v-html to render the ‘label’ param, a crafted username resulting in a stored XSS vulnerability, which can execute any javascript under admin’s permission, such as perform CSRF to update normal user to administrator role, etc.

Affect version

2.10.0 <= version <=2.28.X

Reference

https://github.com/jumpserver/lina/pull/2264

https://github.com/Krryxa/krry-transfer/blob/master/src/packages/paging/models/box.vue#L50

Severity

Medium

Steps to reproduce

1. login jumpserver as administrator (need administrator permission)

2. add new user and it’s name or username is: <img src=x onerror=’alert(document.cookie)'>

3. open system setting-> message -> change recievers, then XSS execute.