Headline

CVE-2020-23452: Cross-Site Scripting (XSS) in hub's web interface · Issue #8259 · SeleniumHQ/selenium

A cross-site scripting (XSS) vulnerability in Selenium Grid v3.141.59 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hub parameter under the /grid/console page.

1 year ago

CVE

Open in Source

#xss #vulnerability #web #java

🐛 Bug Report

A cross-site scripting (XSS) vulnerability exists in Selenium Grid hub’s web interface. The vulnerability is located in /grid/console page where unvalidated user input from node’s configuration is displayed back to the users.

To Reproduce

A node can register to a hub using the following configuration file, where an XSS payload is given in the hub parameter. Since the payload is written as a URL GET parameter value, the node is still be able to register to the hub.

Once the hub’s web interface is opened, injected JavaScript code is executed on the user’s browser, as shown below.

Also, injected JavaScript code can be seen by inspecting the page source.

Expected behavior

The contents of configuration file should be encoded before being displayed to users.

Environment

The vulnerability exists regardless of the environment.
The test is done using Selenium Grid v3.141.59.