Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2021-44217

[Suggested description] In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.


[Additional Information] CodeChecker web server has a permission system to isolate users with different privileges. And it also stores the cookie of each user in document.cookie. Therefor a low-priv attacker(such as the guest account) can utilize this bug to steal secret cookie of superuser or any other sensitive information of scanning reports by controlling the victims to request some data-fetching api. Using some out-of-band techniques, these sensitive information can be easily delivered out to the attacker's server.


[Vulnerability Type] Cross Site Scripting (XSS)


[Vendor of Product] Ericsson


[Affected Product Code Base] CodeChecker - <= 6.18.0


[Affected Component] "Comments" component of reports viewer


[Attack Type] Remote


[Impact Code execution] true


[Impact Escalation of Privileges] true


[Impact Information Disclosure] true


[Attack Vectors] To exploit this vulnerability, someone needs to add a comment under any scanning report.


[Reference]
https://codechecker-demo.eastus.cloudapp.azure.com/
https://user-images.githubusercontent.com/9525971/142965091-e118b012-a7fc-4c2f-ad0c-80aeed6f7ec9.png
https://github.com/Ericsson/codechecker/releases


[Discoverer] Xinyi Chen - S&G Security TMG

The comments component of reports viewer doesn't check the input of user, which leads to a stored XSS under this page.
image
An attacker may exploit this bug to steal secret cookie or any other sensitive information via data-fetching api.
image