Headline
GHSA-9cwv-pxcr-hfjc: LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality
Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users’ browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key Name (confKey) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim’s browser.
PoC
- Authorize as a user with rights to modificate the service (e.g. kuiperUser role).
- Create a service or go to the existing one and access the Configuration > Connection page:
- Open any existing Connection and press on
Add configuration key:
- Set any name and Address, then intercept the request and add the following payload to the
confKeyparameter:123%3Cimg%20src=1%20onerror%3dalert%281%29%3E:
- A new configuration key then will be set:
- (Optional) You can authorize another user with access to this service. For nexe steps I will use admin user
- After we push on delete button (trash icon) opposite the created connection, the payload will work:
Impact
Stored Cross-site Scripting (XSS) vulnerability
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users’ browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key Name (confKey) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim’s browser.
PoC
Authorize as a user with rights to modificate the service (e.g. kuiperUser role).
Create a service or go to the existing one and access the Configuration > Connection page:
Open any existing Connection and press on Add configuration key:
Set any name and Address, then intercept the request and add the following payload to the confKey parameter: 123%3Cimg%20src=1%20onerror%3dalert%281%29%3E:
A new configuration key then will be set:
(Optional) You can authorize another user with access to this service. For nexe steps I will use admin user
After we push on delete button (trash icon) opposite the created connection, the payload will work:
Impact
Stored Cross-site Scripting (XSS) vulnerability
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
References
- GHSA-9cwv-pxcr-hfjc
- https://nvd.nist.gov/vuln/detail/CVE-2024-52290
- lf-edge/ekuiper@943c02e