CVE-2021-32857: GHSL-2021-1035: Cross-Site Scripting (XXS) in Cockpit Next - CVE-2021-32857

Coordinated Disclosure Timeline

• 2021-10-29: Report sent to [email protected]
• 2022-03-25: Publishing as per our disclosure policy

Summary

Bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues.

Product

Cockpit Next

Tested Version

Latest at time of writing (0c6628c)

Details****Issue: Bad HTML sanitization in htmleditor.js (GHSL-2021-1035)

The HTML sanitizer does not account for closing tags with trailing spaces. e.g: </script >. Therefore any malicious scripts in the form of <script>alert(document.domain)</script > will survive the sanitization and will get executed.

Impact

This issue may lead to cross-site scripting (XSS).

Resources

This issue was found using CodeQL.

PoC:

• Start an instance: sudo docker run -d --name cockpit -p 8080:80 agentejo/cockpit

• Open http://localhost:8080/.

• Login with username: admin password: admin.

• Create a new collection (press the plus in the “Collections” box).

• Add a field, and set the field type to HTML (click the cog in the right).

• Fill in the required details (press “SAVE” in the bottom to see what you’ve missed).

• Go to the entires for the newly created collection (there is a “Show entires” in the bottom after you press save, alternatively you can click the collection from the frontpage).

• Create a new entry.

• Paste the following into the editor: <script>alert(123)</script >

• Observe that an alert box will appear in the browser.

• CVE-2021-32857

Credit

This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).

You can contact the GHSL team at [email protected], please include a reference to GHSL-2021-1035 in any communication regarding this issue.