CVE-2023-43193: CVE-2023-43193: Submitty Cross-Site Scripting (XSS) Vulnerability Report

Introduction

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

CVSS Score****Score

• CVSS v3.1: 6.5
• Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Impact

• Confidentiality: The attacker can read any data within the victim’s context.
• Integrity: The attacker can utilize the victim’s privilege to perform actions as that user.
• Availability: If the victim is an administrator, the attcker can prevent the service from running.

Likelihood

• Skill Required: This attack requires basic knowledge of XSS and Markdown.
• Conditions: The attcker must be able to send a malicious link to the forum, and the victim must click the link to trigger the attack.
• Discoverability: This vulnerability is easy to find.

Problem Details****Overview

This report identifies a Cross-Site Scripting (XSS) vulnerability within Submitty, specifically within the Markdown rendering functionality of the forum component. The vulnerability arises due to inadequate sanitization of user input in Markdown links. An attacker can exploit this flaw by crafting a malicious Markdown link that contains embedded JavaScript code.

Markdown, being a lightweight markup language, is widely used for formatting text on the web. Submitty uses Markdown for various user-generated content areas. However, the current implementation does not properly escape JavaScript URLs (javascript:) within the links. As a result, when a Markdown link containing JavaScript is rendered, the script gets executed instead of being treated as a regular hyperlink.

This type of XSS vulnerability is particularly concerning because:

• It allows an attacker to execute arbitrary JavaScript code in the context of the user’s browser session.
• It can lead to a range of malicious activities, including session hijacking, personal data theft, and delivery of malware.
• It affects all users viewing the rendered Markdown content, making it a significant threat to the user base.

Affected Area

The forum component of Submitty.

Root Cause

The vulnerability originates from the use of the CommonMarkConverter library in the application for rendering Markdown content. While CommonMarkConverter is a robust and popular choice for converting Markdown to HTML, its security relies heavily on proper configuration.

The primary cause of this XSS vulnerability is a misconfiguration in the CommonMarkConverter usage. Specifically, the allow_unsafe_links option was not explicitly set to false. This configuration flag controls whether the parser permits javascript: URLs, which are inherently dangerous as they can be used to execute JavaScript code directly in the browser. By default, CommonMarkConverter is designed to allow all links, including javascript: URLs, considering some use cases might require such functionality. However, this default behavior poses a significant security risk in environments where user-generated content is parsed and rendered.

Steps to Reproduce

Following steps are required to reproduce the issue.

1. Access to the forum component of Submitty (any version before v22.06.00).
2. Create a new post, use Markdown and put [XSS](javascript:alert(‘XSS’)) as payload.
3. Submit the new post.
4. Click the link XSS, then notice that the script javascript:alert(‘XSS’) has been executed.

When using the CommonMarkConverter library, the allow_unsafe_links option should be explicitly set to false.

References

The vulnerability has been fixed as a part of pull request 8032.

Report prepared by: Fu Chai Date: 10/31/2023