Headline
CVE-2022-23466: fix(event) dashboard: prevent DOM-XSS for incoming events · kitabisa/teler@20f59ed
teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version v2.0.0-rc.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
@@ -8,6 +8,10 @@ document.addEventListener('DOMContentLoaded’, function(event) {
filtersCount: document.getElementById(‘filters-count’).getElementsByTagName(‘span’)[0]
};
const slugify = (value) => value.toLowerCase().replace(/[^a-z0-9 -]/g, ‘’).replace(/\s+/g, '-').replace(/-+/g, '-');
const escapeHTML = (string) => {
const map = {’&’: '&’, '<’: '<’, '>’: '>’, '"’: '"’, "’": '’’};
return string.replace(/[&<>"’]/g, function(m) { return map[m]; });
};
const sort = (list) => {
signatures = list.getElementsByTagName(“li”);
Array.from(signatures)
@@ -70,9 +74,9 @@ document.addEventListener('DOMContentLoaded’, function(event) {
row.classList.add('log’, sigId);
row.id = eventId;
row.insertCell(0).innerHTML = `<td class="date"><span class="datetime" title="${new Date().toLocaleString}">${new Date().toLocaleTimeString()}</span></td>`;
row.insertCell(1).innerHTML = `<td class="category-name"><strong>${data.category}</strong></td>`;
row.insertCell(1).innerHTML = `<td class="category-name"><strong>${escapeHTML(data.category)}</strong></td>`;
row.insertCell(2).innerHTML = `<td class="element"><div>${data.element}</pre></div></td>`;
row.insertCell(3).innerHTML = `<td class="matches"><strong>${data[data.element]}</strong></td>`;
row.insertCell(3).innerHTML = `<td class="matches"><strong>${escapeHTML(data[data.element])}</strong></td>`;
row.insertCell(4).innerHTML = `<td class="log-line"><div><pre>${JSON.stringify(data)}</pre></div></td>`;
settings.matchesCount.textContent = `${document.getElementsByClassName(‘log’).length} threats`;
@@ -103,7 +107,7 @@ document.addEventListener('DOMContentLoaded’, function(event) {
const createSignature = (name) => {
var li = document.createElement(‘li’);
li.id = slugify(name)
li.innerHTML = `<a href="#" class="menu-item" title="${name}">${name}</a>`;
li.innerHTML = `<a href="#" class="menu-item" title="${escapeHTML(name)}">${escapeHTML(name)}</a>`;
li.addEventListener('click’, (e) => {
e.preventDefault();
filterSignature(li);
Related news
### Description teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. ### Impact This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users. ### Affected Version This issue was introduced from version `v2.0.0-rc` to `v2.0.0-rc.3` & `v2.0.0-dev`. ### Patches This vulnerability has been fixed on version `v2.0.0-rc.4` & `v2.0.0-dev.2`. ### Workarounds Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to `v2.0.0-rc.4` or `v2.0.0-dev.2` & above. ### References - https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e