CVE-2022-25507: XSS through Emergency Alert · Issue #28 · FreeTAKTeam/UI

In the FreeTAKServer-UI there is a function to create and view Emergency Alerts that are originating from either the End User Device or from the UI itself. Both Avenues are susceptible to a Stored Cross Site scripting vulnerability in the Callsign parameter.

Web Interface

In the case of a XSS in the WebUI it is as simple as having a callsign with the payload of <img src onerror=alert(/payload/)> which will trigger the Emergency function and display the emergency in the WebUI.

End User Device

What’s more interesting of a scenario is that it is possible to push Emergencies from any of the EUDs, these can range from a 911, TIC (Troops in Contact) or similar.

This can be chained together with the API keys leakage in the response in order to obtain a server RestAPI key for further exploitation, which can take a normal user in the field to a Web Server admin