MNDT-2022-0020
Archer 6.x through 6.9 SP1 P4 (6.9.1.4) contains a stored XSS vulnerability. A remote authenticated administrative Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.
Common Weakness Enumeration
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Impact
Medium - An authenticated admin can execute arbitrary JavaScript in the victim's browser. This allows the attacker to impersonate the user to the application and can be used as part of an attack to steal user credentials.
Exploitability
Medium - The attacker requires a user account on the application in order to inject a script. Once a script is injected, it is stored in the application and all users can be affected.
CVE Reference
CVE-2021-33616
Technical Details
In the Admin module "Packages", a threat actor can modify or create a package and add an arbitrary description. A threat actor can replace its "Description" field with an XSS payload.
Discovery Credits
Mandiant, Angelo Alviar, Michael Maturi, and Troy Knutson
Disclosure Timeline
- 2021-05-27 - Issue reported to RSA Archer.
- 2022-05-01 - RSA Archer released a patch and posted a public Security Advisory.